[REVS] 0x00 vs ASP File Upload Scripts

From: SecuriTeam (support_at_securiteam.com)
Date: 07/14/04

  • Next message: SecuriTeam: "[TOOL] Macchanger - GNU MAC Changer" 
    To: list@securiteam.com
Date: 14 Jul 2004 11:09:03 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      0x00 vs ASP File Upload Scripts
    ------------------------------------------------------------------------

    SUMMARY

    The affects of the `Poison NULL byte` have not been widely explored in
    ASP, but as with other languages the NULL byte can cause problems when ASP
    passes data to objects. Many upload systems written in ASP suffer from a
    common problem whereby a NULL byte can be inserted into the filename
    parameter leading to any extension, after the null byte, being ignored
    when writing the file. This means that in some cases it is possible to
    bypass checks for valid extensions, even if one is appended by the
    application. This is very similar to attacks against Perl and PHP, the
    difference being how the null byte is sent to the application. This
    problem arises when data is compared and validated in ASP script but
    passed to the FileSystemObject without checking for NULL bytes. The linked
    document will discuss how ASP upload scripts can be affected by the Poison
    NULL byte attack.

    DETAILS

    Scope:
    The information in this document is based on research done using upload
    systems that incorporate multipart/form-data posts and the
    Scripting.FileSystemObject object. Throughout this document we focus on
    the CreateTextFile method, which is used to create a file for writing, but
    it is possible that other objects functions are vulnerable to the same
    type of problem. A %00 or NULL can not be sent through the URL or a normal
    form post as the web server registers this as the end of the string, but
    does not store it in the filename variable. When a filename is sent using
    a multipart/form-data post the null byte will be included in the filename
    variable, thus affecting calls to the FileSystemObject.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:brett.moore@security-assessment.com> Brett Moore.
    The complete document can be found at:
    <http://www.security-assessment.com/Papers/0x00_vs_ASP_File_Uploads.pdf>
    http://www.security-assessment.com/Papers/0x00_vs_ASP_File_Uploads.pdf

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] Macchanger - GNU MAC Changer"

    Relevant Pages