Monday, January 22, 2007

File Upload Dangers

Recently I wrote a little bit of software to allow our customers to upload files. I set the program to email me a copy of everything to ensure that things are working properly and to track it's usage. Over the weekend someone uploaded a file called "titshell.aspx".

I opened the file in Microsoft Visual Web Developer 2005 Express to see if I could understand what it was trying to do. Only to see what I tought was Russian text (now I think it might be Turkish but to be honest I am not sure). I read trough the code some more and saw a link for I went to the web site but was unable to read any of the forums, except for links to screen shots, the file, and a video on how to use it.

Apparenlty (though I haven't been able to make it work) it can create a user, add a user to the Local Administrators Group, Create/Edit/Delete Files & Folders, Delete IIS Log files, Run SQL commands, Disable the Windows Firewall, Enable Remote Desktop, Get System Information (this one works), and upload more files to what ever folder they desire (allowing permissions of course) which is all scary stuff for someone to be able to do remotly.

To test the program out (how could I not?) I tested the file on a Virtual Machine so IF it did work I would have been able to revert back to a working server quickly.

So how do you guard aginst this type of attack?


Thankfully Microsoft has taken most of these actions and broken them becuase they rely on admin privleges on the server (Deleting the IIS logs for example). But when I wrote the upload program I told it to store the files in a non-IIS shared folder (some where else on the network). The person that uploaded the file was hoping it would be accessable from the web, which would have allowed them to do anything the program was set to do.

No comments: