Unrestricted File Download} V1. – Windows Server

Downlaod the PDF file: http://soroush.secproject.com/downloadable/Unrestricted_File_Get}_V1..pdf

Unrestricted File Download} V1. – Windows Server

I do not want to talk about Insecure Direct Object References with no any safety as they are certainly exploitable As an alternative, I want to speak about bypassing the safeguarded kinds! The problem that I want to clarify here is how difficult it is to guard a technique that makes use of Insecure Direct Item References by employing black-checklist method.

Every time penetration testers see a site which accepts a path as an input, they consider about these queries:

one- Can I have accessibility to the top secret files?

two- Can I do directory traversal?

3- Can I modify an additional file?

4- Can I do race problem?

And so on.

The answer from programming position of look at is: “it is dependent!”:

one- If they have no safety in-location: “Yes. Yay!”

two- If they are utilizing black-listing technique: “Think about a bypass now! There should be a way and I just need to have to find it! Consider about encodings, decoding, effective characters, conduct of the technique against particular characters, and so on.”

three- If they are employing white-record strategy: “Is there something on the checklist that can be misused? Can I adhere some of them together to make yet another character or adjust the conduct of the technique?”

My stage is that there is frequently a way to bypass a black-list. Nevertheless, it is not the exact same for white-listing if you do it appropriately.

Let us Bypass a Blacklist Technique

Now, I want to use a scenario to demonstrate an case in point of employing black-record, and strategies of bypass.

Believe we have “www.vulnerable.com/download}.aspx” which accepts a file route as an input and reads it and loads it into the output. (To make it less complicated, “/upload” folder is on the root of the internet site)

For case in point: “/download}.aspx?file=/upload/document.doc”

Now, if you try the following inputs, you will obtain an “access denied” error from the webpage:

“/download}.aspx?file=web.config”

“/down load}.aspx?file=download}.aspx”

“/download}.aspx?file=/down load}.aspx”

But, if you attempt the adhering to inputs, you will get a “file not found” error or a blank-web page from the web page:

“/down load}.aspx?file=exam.doc”

“/down load}.aspx?file=/upload/../test.txt”

“/download}.aspx?file=/exam.f0ob4r”

In accordance to the response of the webpage, naturally, it is using a black-listing method.

These are the very first issues that I can think about (my pre-exam-circumstances):

- Use uppercase, lowercase, and Unicode in the extension. For ex: “/get}.aspx?file=/Web.CoNfiG” and so on.

1- As you may possibly know, there are some characters right after the filename that will be overlooked by Windows. So, I must consider something like “/download}.aspx?file=/net.config.” or “/get}.aspx?file=/net.config… ..”

2- Using brief filename format of the file: “/down load}.aspx?file=/net~1.con”

3- Using null character: “/get}.aspx?file=/web.config%00.txt”

four- Using another extension in the route: “/get}.aspx?file=/test.txt/../internet.config”

5- Employing diverse room characters in the route: “/down load}.aspx?file=/website.config%09”, “/down load}.aspx?file=/website.config%0a”, “/get}.aspx?file=/web.config%0b”, “/down load}.aspx?file=/web.config%0c”, “/download}.aspx?file=/web.config%0d”, “/get}.aspx?file=/web.config%20”, and so on (related to one).

six- Finding a character that is removed by the net software immediately before loading a file to put it in the extension and bypass the black-list protection.

seven- Attempt alternate data stream to study the files: “/get}.aspx?file=/web.config::$ Data”

8- Consider to use direct path and reveal route. Ex: “/get}.aspx?file=do:windowswin.ini”, “/down load}.aspx?file=?c:windowswin.ini”, or “/download}.aspx?file=127...1c$ WINDOWSwin.ini”

9- Try to do directory traversal. Ex: “/get}.aspx?file=../../../../../../../../../../../boot.ini”

10- Consider other file-method understandable vectors. Ex: “/down load}.aspx?file=web.config/.”, “/download}.aspx?file=web.config.”, and so on (related to one).

And blend of the over options to produce far more challenging exam cases!

What do you feel? Remember to allow me know if you know any other exciting exam scenario. This is the result:

Every of the earlier mentioned vectors could lead to bypassing the protection. Now, I can notify you that the genuine vulnerable supply code of the page was:

And, we can get the confidential files with distinct vectors (see amount , 5, and 10 on the table earlier mentioned). Now, an attacker can download the entire website and look for the credentials, hidden files and folders, and find any other vulnerability these as SQL Injection by obtaining the resource code.

Protected and Efficient Resolution

Now, what can we do to cease this strike? These are the common answers:

one- Do not use immediate object references when it is feasible:

For indirect references, use a thing random, difficult to guess, and meaningless this sort of as GUIDs. You need to have to apply far more capabilities and invest a lot more time on programming and debugging. However, your achievements are:

one.one- Increasing the Security by employing robust random tips this sort of as GUIDs

one.two- Simpler asset managing and have different entry controls

2- Power oneself to usually use white-lists:

It is very unusual that you have to only use a black-listing for an input! If an input is random and unpredictable, you may need to redesign that input. Publish down the input function(s) and do whatever you can to restrict it to a array of characters. Now, believe about this range and review the characters 1 by a single. Is there everything in the checklist which can lead to an issue? Do you want to enable any other characters apart from [a-zA-Z0-nine]? Why? Believe about it and comply with the best security procedures.

At times you require to use blacklist after passing the input from a white-list to have a lot more security. For illustration: an input can include a file route. Therefore, we must allow dot “.” character. Even so, we really should not permit any ambigu dot “..” as it can cause directory traversal.

If you are developing a system, look for the vulnerabilities which have been documented on the comparable methods in Web. You may find one thing that you had not had any knowledge about it ahead of! Do not feel that you know almost everything! Even a semi-colon or colon can compromise your method occasionally.

Speak about your program with the security people with authorities (not script kiddies). You can inquire your concerns in distinct security message boards to find a clue. Inquire them to break your defense to boost the security.

Notice one: a undesirable implementation is worse than not having any implementation! When you do not have any safety, at the very least you know you do not have something to safeguard oneself and the system is unsafe!!! Nonetheless, when you have an insecure/poor implementation, you feel the method is safe sufficient but it is not, and attackers will find this out – trust me!

Note 2: If you are putting various inputs next to each other, it is greater to pass them at minimum through a black-list defense following concatenation.

Now, without employing an indirect reference, two remedies for our susceptible case in point (“www.susceptible.com/down load}.aspx”) can be:

Answer 1 (Much more White-list – far more limited):

one- Substitute all the “/” with “” character in purchase to make the validation less complicated (for Windows OS). (Black-Checklist)

2- Exchange all the dot characters prior to the backslash character (“.”) with a solitary “” character in get to make the validation less complicated. (Black-Record)

three- Only acknowledge minimal characters as an input: RegEx: (([a-zA-Z0-nine][.]1)|[a-zA-Z0-9])*

four- File identify ought to start with: RegEx: ^[a-zA-Z0-9] (White-checklist)

5- File title ought to conclude with: RegEx: [a-zA-Z0-nine]$ (White-record)

Then a common ReGex will be (contain 3, 4, and five): ^([a-zA-Z0-9]one)(([a-zA-Z0-nine][.]1)|[a-zA-Z0-9])*([a-zA-Z0-9])$ (White-listing)

6- Uncover the file extension by making use of the very last dot “.” character of the file. This extension must be in the record of permitted extensions this sort of as “gif”, “jpg”, “doc”, “docx”, “pdf”, “rtf”, and so on. (White-Listing)

Limitation: It is not achievable to use Unicode or particular characters in the file or the directory name.

Answer 2 (Much more Black-Record – a lot less limited):

1- Trim the input to remove needless spaces (Black-Checklist)

two- Exchange all the “/” with “” character in get to make the validation less difficult (for Windows OS). (Black-Listing)

three- Replace all the “..” with “.” character in a loop until you can not uncover any “..” anymore. (Black-List)

four- Replace all the room and dot characters ahead of and following the “” character with a solitary “” character in purchase to make the validation simpler. (Black-Checklist)

5- Substitute all the “” with “” character in order to make the validation simpler. (Black-Listing)

6- Path really should not contain these characters: RegEx: [^:*?"&lt&gt|~] – (for Windows OS)

7- Locate the file extension by employing the final dot “.” character of the file. This extension must be in the checklist of authorized extensions this sort of as “gif”, “jpg”, “doc”, “docx”, “pdf”, “rtf”, and so on. (White-Record)

Speedy Conclusion:

Halt employing blacklist protections for direct item references if you cannot use indirect kinds. In addition, do not forget to discuss to the experts to apply it correctly.

Last Phrases

Make sure you deliver me your feedbacks by way of my email handle (irsdl at yahoo dot com) to enhance this white-paper. You can use whole or part of this document by placing a reference to the writer (Soroush Dalili) and website link of the primary document.

At present just by utilizing Google, a lot of vulnerable internet sites and Content material Management Methods (CMS) can be found. If you find an issue based on the content material/thought of this paper in a permitted program (these as your site CMS), please report it to its legal authority to patch the method as soon as feasible and I would be thankful if you set a hyperlink to this document as a reference in your advisory.

However, be sure to do not use this expertise in opposition to any site or system with out getting a lawful permission. And, I do not take any duty for any use from this white-paper and its subject material/concept.

Reference(s):

- OWASP, Unrestricted File Upload: http://www.owasp.org/index.php/Unrestricted_File_Upload

—
Downlaod the PDF file: http://soroush.secproject.com/downloadable/Unrestricted_File_Down load}_V1..pdf
—
Backup hyperlink is also available: http://0me.me/files/soroush.secproject.com/Unrestricted_File_Down load}_V1..pdf

Soroush Dalili - Laptop or computer Security Is My Curiosity!