0

I just got a message from a security guy that my application is executing remote code if they pass a Content-Type: image/asp. For now he does not disclose anything. Now my question is that if I am using ASP.NET 5 MVC application using IIS webserver on Windows Server 2012 R2, can you send a specific content-type to web server in order to do remote code execution?

Kineye
  • 3
  • 4
user960567
  • 2,461
  • 4
  • 16
  • 16
  • 1
    That depends on your application. In general, **`Content-Type` must never be trusted!** Don't let people upload arbitrary stuff –  Nov 16 '20 at 14:23
  • Is there any general vulnerability that can use Content-Type to make RCE? – user960567 Nov 16 '20 at 15:54
  • 2
    "if they pass a ..." is really unspecific. Are they able to upload a file? It's definitely a plausible scenario that a web app allows uploads with a particular content type, and that this causes the server to execute code contained in the upload if the file is requested directly. "For now he does not disclose anything." How come? If they are asking for money to disclose a vulnerability it's possibly a scam. – Arminius Nov 16 '20 at 19:19
  • @Arminius, Thanks for your comment, Yes I am aware of uploading arbitrary file – user960567 Nov 17 '20 at 06:04

2 Answers2

1

IIS, like most web application servers, automatically recognizes requests for URLs that contain server-side code and executes that code on the server. This means that, if I can upload a .ASP or .ASPX or similar file to your server, and then send a request to a URL that maps to the uploaded file, IIS will load the file and execute the code it contains. This code will execute in the user context of the IIS service, which generally has restricted privileges but nonetheless has access to lots of sensitive data (at minimum, all of the data that your webapp has any legitimate need for, TLS private keys, system-wide environment variables, and so on) plus of course it can be used to attempt internal network pivots or local EoP attacks.

There are a few ways to prevent this code execution risk. This is not a comprehensive list - I haven't done any IIS sysadmin work in over a decade, and am not fully familiar with its behavior these days - but it should get you started.

  • Don't upload user content to anywhere within the webroot. If the user can't provide a URL that maps to the uploaded file, the server won't try to execute it. (This does usually require providing a way for users to refer to the file in some other way, which opens the risk of arbitrary file reads from outside the webroot, though; that's also very bad.)
  • Disable execution of files from the location where the user content is uploaded to.
  • Don't allow file extensions that the server will recognize as server-side code. You can find a list of these in IIS's list of known file types. Ideally, you should disallow all extensions except for the specific ones you want to allow (use an allow-list, rather than a block-list). If you add (or modify) the extension to uploaded files yourself based on the client-supplied content-type value, be sure to disallow all content-types that would lead to dangerous extensions.
  • Disable execution of file types you don't need. This isn't a perfect solution - you probably still need to have at least one type of server-executable file - but you can reduce the attack surface somewhat.
  • Disable execution of the uploaded files by removing the "Execute" bit from the file ACL. This may or may not be effective for different file types - it depends how they are executed, as an interpreter might not check that access control flag - but it probably won't hurt, anyhow.
CBHacking
  • 40,303
  • 3
  • 74
  • 98
0

Yes any one can upload file with Malicious Code to make remote code execution, stored XXS or OS injection

read this answer MIME Type vs. Magic Numbers

ayman hadi
  • 1
  • 1