Watch: Nasty JPEG pops corporate locks on Windows boxes Penetration tester Marcus Murray says attackers can use malicious JPEGs to pop modern Windows servers, to gain expanded privileges over networks. In a live hack set down for RSA San Francisco this week, the TrueSec boffin shows how he used the hack to access an unnamed US Government agency that ran a buggy photo upload portal …
> Some of your technology may be out of date, which means this video won't play properly. Please install Flash or upgrade your browser.
My browser is up to date. Flash has been removed because it is a security nightmare, just like the fine people at TheRegister recommended.
This post has been deleted by its author
Well, yes and no. How far away from default do you have to be before a box becomes secure?
I would have preferred to have a safe box to start with and then gradually add/enable things until it does what it needs to do, but not more. This strikes me as a shining example of what happens when you come from the opposite side..
No need for the server admin to do anything. When the hacker previews the nasty jpg, the because the web server thinks it's an aspx it tried to interpret it as such which is why it spews mostly binary onto the page apart from the active content.
(this is nothing to do with extension hiding and/or tricking end users to click on things)
This post has been deleted by its author
@1980s_coder - +1 for you sir!
Your the first person to point out the obvious, whilst the webserver gets the all the blame, ultimately a web server only does what its told, responsibility for this rests predominantly with the developer who wrote the website / application in the first place, for not adding sufficient checking on file extensions or file content..
So this is just a plain upload issue. if the server side script took the time to make sure that the file extension was really .jpg (or even renamed the file to <uniqueid>.jpg); then when Mallory goes and hits the new url with a browser, all they get is the text of their script spat out at them in the viewport. Webservers should not be executing random binary data, just reading it as standard input and sending to the standard output...
The other (important) aspect of the exploit was that once uploaded, you could view the uploaded image, forcing the web server to run the code.
It was also quite instructional on how to leverage a basic shell once obtained to delve deeper into the network. Lots of simple things could stop this exploit going any further than the DMZ if you take the time to look at how it's done.
This post has been deleted by its author
No you didn't get that right. The JPG was a JPG. They had added some aspx code into the comment of the JPG metadata. That's why it was validated as a real image file and the server allowed the upload.
The problem (in this case) was that the web app wasn't checking the file extension so it allowed the jpg to be uploaded (and saved) even though it had been renamed with an aspx extension (thus allowing the researcher to force the web server to interpret it as such upon preview).
This is nothing to do with extension hiding and tricking end users with thing like open_me.doc.exe
I quote: Microsoft introduced an operating environment named Windows on November 20, 1985
So, let me get this straight. We're just shy of 30 years further and those *cough* experts *cough* in Redmond still have a problem with this? Honestly?
I am fully convinced that it is possible to secure Windows properly (I know some people who are rather good at this), but why the hell is it still so much hard work? This is basic stuff.
"So, let me get this straight. We're just shy of 30 years further and those *cough* experts *cough* in Redmond still have a problem with this? Honestly?"
This is not a Windows issue. The developers have gone to some impressive levels of stupidity to enable this exploit....
Could you kindly hire some reporters who speak English (or at least American) as their first language?
I'm getting tired of trying to parse nonsense like this:
that is true because they have Linux server you usually use Windows clients for connect to them
Some uploading portals so weak he says, malicious dynamic content will be accepted merely because it carries a .jpg extension.
So what user is this server running as? On my Linux boxen, Apache has its own user account with no special (admin) privileges. So even if someone manages to feed it something that it chokes on (and even with Linux/Apache there is a small possibility) the malicious code it is tricked into running can't get into other subsystems. Particularly if that same box runs a domain controller. With Windows and a clueless admin* this appears not to be the case. Worse yet, Microsoft seems to think that doing some user level stuff in kernel modules is a Good Idea. For performance, of course.
*Sometimes, one doesn't have a choice with Windows. Given that everything has a web based administrative interface (Windows admins can't be buggered to log on and use a command line), IIS pretty much has to run with admin (root) priveledges.
On Windows the Web Server and .Net (aspx files) would run as a Network Services account with minimal rights.
If you look at website defacement statistics you will see that even after adjusting for market share, you are about 4 times more likely to be remotely hacked running Linux / Apache than Windows / IIS.
To correct your various factual errors:
Windows Server installs without a GUI by default
Pretty much zero Windows admin is web based.
Most administration is via Powershell (Like a UNIX shell but rather more secure and powerful).
IIS does not require admin rights at all.
would a file with a .aspx extension have any meaning. on my OS/2, NetWare, and Linux boxes, .aspx is just a four-letter extension, and not executable. Setting that aside, my firewall would stop such an upload (if/when/as properly configured). Oh, well. Now I know why I don't expose windy boxes to the outside world (the glass breaks too easily).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
