Back to Basics: When allowing user uploads, don't allow uploads to execute code
I got an email from a reader who noticed some very odd errors happening in her web site's global error handler. Fortunately she's using ELMAH for error handling, which as you may know, is a JOY.
She was seeing:
Access to the path 'C:\Windows\security\database\secedit.sdb' is denied
Well, that's enough to make your heart skip a beat.
She looked around and found a file simply named "list.aspx" that she didn't recognize. The weird part was that this file was in the /uploads folder. That's where users can upload files with her particular CMS.
The list.aspx even has authors listed. Perhaps for their LinkedIn page?
Code by Bin
Make in China
I won't list the full list.aspx here, but rather call out some highlights of this clear malware.
It had a LOT of spaces in the opening of the file.
Meaning, they were assuming you wouldn't scroll down. Seriously. Oddly, though, it was spaces, not carriage returns. Note Line 23 never ends. It's SUPER long.
It pointed to a lot of (comparatively) unusual domains
It had links inside to things like
It's a whole admin console for a bad guy to attack your computer
This file actually has a dropdown with "Please select a database" with values like (this is just a taste):
- Use master dbcc addextendedproc('sp_OACreate','odsole70.dll')
- select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb
- c:\bin.asp' backup database @b to disk=@t WITH DIFFERENTIAL,FORMAT;drop table [bin_cmd];
- Exec master.dbo.xp_cmdshell 'net user'
- EXEC sp_configure 'xp_cmdshell'
They're going for complete control of the system, and this file is just the start.
This bad aspx file also tries to bring in some bad JS from the second domain above.
The root of all of this is: Don't let users upload and execute code.
A fix for arbitrary code execution in user upload folders
What was the fix? Well, certainly not allowing someone to upload a file with a .aspx or .php extension for one, but also to mark the entire uploads folder as not executable! Here is the updated web.config:
<handlers accessPolicy="Read" />
I'm not a security expert, but I'd love to hear from YOU, Dear Reader, and some of the crazy stuff you've discovered on systems you manage.