Penetration Testing mailing list archives
RE: Malicious file upload in .JPG or GIF format
From: "Brett Moore" <brett.moore () insomniasec com>
Date: Thu, 21 Feb 2008 11:39:20 +1300
The null byte trick is the most common used. Complement that with some ../ or ..\ (or which ever encoding you wish) to get the file placed into a folder with execute script permissions. * Black listed file types. Example would be a .net site that checks that a file does not end with .aspx, .asp, htr, .idc etc.. But they forget extensions like .asa and .cer which are both mapped to asp.dll * Filename must include .jpg Some checks are so bad that as long as the string includes .jpg then it passes.. filename.jpg.aspx or folder\.jpg\realname * Filename must end with .jpg Null bytes already discussed, what about a very long filename that is extended with spaces, and then gets truncated in code. * Alternate data streams Read this post about abusing alternate data streams http://ha.ckers.org/blog/20070606/additional-image-bypass-on-windows/ * Content upload to database SQL injection through filename or other parameters passed. * Usual encoding problems Supplied filename is checked, then decoded. Secure coding doesn't rely on the supplied filename, and should have at least some sort of file validation. * Header checking Graphic header checking is common, but can be circumvented in most script file as the header can be treated as plain text. * Format checking Third party utils to check file formats, or scan for viruses, or decrypt archives, can all be vulnerable to exploitation. And best practise says not to upload content into the webroot or other accessible areas. Again that’s where traversal comes into play. Something I haven't seen, and which would be very poor programming, would be a race condition. If the file is saved, then checked, then deleted. By sending enough file upload posts it may be possible to swamp the app/server and get in a request to the uploaded file. Brett -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Erin Carroll Sent: Thursday, 21 February 2008 10:39 a.m. To: 'H D Moore'; pen-test () securityfocus com Subject: RE: Malicious file upload in .JPG or GIF format I used this exact method (NULL byte) just last night actually when testing some servers. However, I did run into permissions issues with the uploaded malicious .asp. While the ASP upload script was vulnerable to NULL byte name truncation, the server treated the submitted file with different permissions which didn't allow for http://foo.com/malicious.asp to be invoked. OffTopic: Btw HD, I like the new mfsWeb console. Been a while since I used anything other than the CLI and I see the GUI has come a long way since I last played with it. Any hints on what's in your roadmap or when the next release is coming? -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of H D Moore Sent: Wednesday, February 20, 2008 1:17 PM To: pen-test () securityfocus com Subject: Re: Malicious file upload in .JPG or GIF format The usual trick is to upload an ASP, ASPX, PHP, JSP, or other dynamic web page to the server. If the applications allows you to set the extension and the upload directory supports that scripting language, your job is done. If the server changes the extension to .JPG/.GIF (or only allows those extensions), then you need to be more creative. On Apache, you can name a file something.php.jpg, and Apache will still treat it as PHP. Another option you can try is by sending an upload request (with a tool or a HTTP request editor) that embeds a NULL byte before the .JPG extension. ASP scripts tend to be vulnerable to this -- the script will see the entire file name, but the underlying file operation will truncate the name of the file after the NULL byte. So something.asp%00.jpg would become something.asp. Finally, one trick that might help, is to upload a HTML document, with a JPG extension, and see whether the browser treats it as HTML or an image when you browse to it. Some browsers handle this different, sometimes ignoring the mime type in favor of the file magic (not sure if this works with images in IE 7). What this allows you to do is upload arbitrary HTML content to the server, which can contain javascript, which in turn can read the domain-specific credentials of users visiting that page. This still requires the ability to send users to your not-really-a-jpeg HTML page (for example, by emailing them a link). Good luck, -HD On Wednesday 20 February 2008, whitehat wrote:
I'm doing Web Application Pen-Testing. In one of the pages there is an option to upload an image(.JPG or .GIF). How a hacker can exploit it and what are the chances of uploading a malicious .exe file (virus kind of stuff) in .JPG or .GIF format by changing its extension.
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Malicious file upload in .JPG or GIF format whitehat (Feb 20)
- Re: Malicious file upload in .JPG or GIF format H D Moore (Feb 20)
- RE: Malicious file upload in .JPG or GIF format Erin Carroll (Feb 20)
- RE: Malicious file upload in .JPG or GIF format Brett Moore (Feb 20)
- Re: Malicious file upload in .JPG or GIF format Luca Carettoni (Feb 20)
- RE: Malicious file upload in .JPG or GIF format Erin Carroll (Feb 20)
- Re: Malicious file upload in .JPG or GIF format bugtraq (Feb 20)
- RE: Malicious file upload in .JPG or GIF format ADAMS, JEFF W, ATTSI (Feb 21)
- <Possible follow-ups>
- Re: Malicious file upload in .JPG or GIF format Jay (Feb 20)
- Re: Malicious file upload in .JPG or GIF format H D Moore (Feb 20)