Package Name Directory Traversals

Last year I discovered two very similar directory traversal vulnerabilities in Octopus Deploy and Inedo ProGet. Octopus Deploy’s built in NuGet feed and several feed types in ProGet were vulnerable to directory traversal attacks on the package name fields inside packages uploaded to the respective system. While the same type of vulnerability was found for several feed types in ProGet (including npm, Maven, VSIX, Ruby Gems…), this post will focus on NuGet as it is representative of the other issues.

These vulnerabilities enabled an attacker to both overwrite arbitrary packages within the respective system and to write packages to arbitrary locations on the server’s file system. After a package was overwritten by one of these vulnerabilities, the attacker’s package would be returned instead of the original package. This could be used by an attacker spread a backdoor to several systems within a network.