Back to Basics: When allowing user uploads, don’t allow uploads to execute code

I got an email from a reader who noticed some very odd errors happening in his web site's global error handler. Fortunately she was using ELMAH for error handling, which as you may know, is a JOY.

She was seeing:

Access to the path 'C:\Windows\security\database\secedit.sdb' is denied

Well, that's enough to make your heart skip a beat.

She looked around and found a file simply named "list.aspx" that she didn't recognize. The weird part was that this file was in the /uploads folder. That's where users can upload files with her particular CMS.

The list.aspx even has authors listed. Perhaps for their LinkedIn page?

Thanks Snailsor,FuYu,BloodSword,Cnqing,

Code by Bin
Make in China

I won't list the full list.aspx here, but rather call out some highlights of this clear malware.

It had a LOT of spaces in the opening of the file.

Meaning, they were assuming you wouldn't scroll down. Seriously. Oddly, though, it was spaces, not carriage returns. Note Line 23 never ends. It's SUPER long.

image

It pointed to a lot of (comparatively) unusual domains

It had links inside to things like

  • www.rootkit.net.cn
  • r57c99.com

Note that the second one actually serves malware and bad JavaScript, so avoid it.

It's a whole admin console for a bad guy to attack your computer

This file actually has a dropdown with "Please select a database" with values like (this is just a taste):

  • Use master dbcc addextendedproc('sp_OACreate','odsole70.dll')
  • select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb
  • c:\bin.asp' backup database @b to disk=@t WITH DIFFERENTIAL,FORMAT;drop table [bin_cmd];
  • Exec master.dbo.xp_cmdshell 'net user'
  • EXEC sp_configure 'xp_cmdshell'

They're going for complete control of the system, and this file is just the start.

It serves JavaScript from elsewhere

This bad aspx file also tries to bring in some bad JS from the second domain above.

That JavaScript tries to bring in even worse JavaScript from another location via an indirection. I won't even list these bits for fear that I'll get blocked for serving it!

The root of all of this is: Don't let users upload and execute code.

A fix for arbitrary code execution in user upload folders

What was the fix? Well, certainly not allowing someone to upload a file with a .aspx or .php extension for one, but also to mark the entire uploads folder as not executable! Here is the updated web.config:






I'm not a security expert, but I'd love to hear from YOU, Dear Reader, and some of the crazy stuff you've discovered on systems you manage.



© 2014 Scott Hanselman. All rights reserved.
     
  • By Scott Hanselman
  • Posted in Uncategorized
  • Tagged Tools
  • Translator

  • Recent Articles

    • ZeniMax Disputes Oculus Rift’s VR Rights; Oculus Responds
    • Sumotori Dreams is how my wife and I will now settle disagreements
    • Surface Mini Set For Unveiling On May 20th In NYC
    • Alleged iPhone 6 Dummy Unit Compared Against iPhone 5s
    • The SunJack Is A Portable Solar Charger For Your Gadgets
    • Samsung’s Legal Tactics Involves Stalling Before Settling
    • Cryptolocker ransomware on Android is the new face of malware Evil
    • Microsoft Sends Out Invitations To A ‘Small’ Surface Event
    • Picplace is a free app that helps you store your photo memories by location
    • Sand Noise Device
    • New ‘Tales From the Borderlands’ screens and details revealed
    • John McAfee Releases CHADDER, Secure Messaging App
    • BlackBerry Considering VoIP Services For BBM
    • Olympus PEN E-PL7 To Be Announced Soon [Rumor]
    • Apple stock tops $600 per share for first time in 18 months
    • Samsung prepping Galaxy Tab S line with 2560×1600 AMOLED Screens?
    • Project Skybridge Is AMD’s Breakout Moment
    • Cloud Power: Scaling Azure Websites globally with Traffic Manager
    • Apple’s Data Tapping patent accounted for 85% of its damages award
    • Google Wallet Is Coming To Glass