1

Say, there's an upload function where users are supposed to upload images only. However, it's possible to upload arbitrary files bypassing the restriction.

Say, I uploaded a shell (aspx) and requested the corresponding resource. As I've read, it's possible to execute such shell code in some scenarios. The server, however, is setting a Content-Type response header as image/png.

I also Googled, and found that it's possible to execute php code by embedding php code directly into the JPEG image. So, my question here is;
- Does the server executes server side code despite Content-Type header?
- If not, in what cases it's possible to execute codes directly instead of by embedding it inside the image?
- Is there any similar way for aspx codes?

The first question, as it appears to me, isn't it the server which sets the Content-Type header? So, I believed the code should have executed before the page is rendered.

Please, help me clear things.

1lastBr3ath
  • 909
  • 6
  • 13
  • In the simplest case, a static URL that matches a file path, the server will set the Content-type according to the filename extension; and will not run it through php unless the extension is .php – Hagen von Eitzen Aug 05 '15 at 11:15
  • You are correct. The server will execute the script if it has the permission to do so. The content type header only affects rendering of whatever output of the script on the browser. – Question Overflow Aug 05 '15 at 11:51
  • possible duplicate of [Malicious code in image. Harmful?](http://security.stackexchange.com/questions/53958/malicious-code-in-image-harmful) – WhiteWinterWolf Aug 05 '15 at 16:04
  • So, does that mean "If the server is vulnerable, I can execute Server Side Code directly by requesting the file I uploaded"? – 1lastBr3ath Aug 06 '15 at 07:00
  • 1
    Yes, that's the idea. It's one of the possible way to execute custom code on a remote server. This will not work on a correctly configured server though, since the weakness comes from a wrong configuration. But mistakes happen, and mistakes may cause security vulnerabilities... – WhiteWinterWolf Aug 06 '15 at 08:05

1 Answers1

2

In a perfect (and bugless!) world, it would not be possible. An image file should always be recognized as an image file by the web server and handled as such, this means:

  • Setting the mime-type accordingly for a proper display on user's browser,
  • Raw file data sent to the user's browser: no script executed.

However, things turn wrong when there are possibilities to trick the web server into thinking that this .jpg file is actually an ASP (or whatever) script to be executed. The web server will then open this file as a script, execute its content, a be screwed...

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • Thanks, but the problem here is; the server is using REST URL. So, even though I request files with respective extensions, it doesn't find the file that way :( – 1lastBr3ath Aug 06 '15 at 06:58
  • 1
    @1lastBr3ath: It heavily depends on the environment configuration and implementation. It may still work when REST is involved, however the more abstraction layers there is, the least chances there are that such issue would be exploitable. If the server is configured in a way that the URL is never served directly by the server, but instead systematically processed by some scripts generating the output dynamically (one can even imagine that uploaded files may be located outside the web root directory), then there very little chance that the scripts could be tricked into executing image files. – WhiteWinterWolf Aug 06 '15 at 08:13
  • Can you please give me an example or a link where I can find this issue being explained in REST scenarios, a practical example of how it can be exploited? – 1lastBr3ath Aug 06 '15 at 10:16
  • An attacker would most probably just do not care of the REST part (he don't care of rules, he just wants to get in). He will upload the malicious image to your server, and if you have filter (like a [WAF](https://www.owasp.org/index.php/Web_Application_Firewall)) or anything else allowing only REST requests to go through he will send some dummy (but allowed by your policy) REST request against his malicious image file URL so the request will not trigger your legitimate ASP application code, but the attacker's own code in place. – WhiteWinterWolf Aug 06 '15 at 12:06
  • OK! It's just that I'm not being able to exploit the application because the server responds with no message at all (**Content-Length: 0**). And, can you please also my other question i.e. if there's a way similar to embedding php code inside JPEG image for ASP? And, how do I exploit it? – 1lastBr3ath Aug 07 '15 at 14:54