This article is also available as a TechRepublic download.
Malicious file execution, also listed as Insecure Remote File Include in the OWASP Top Ten, is a vulnerability caused by direct use or concatenation of unvalidated input into file or stream functions. This weakness is found in many Web applications, but it is preventable by coding processes and techniques focused on ensuring a reasonable level of software assurance.
How it works
An attacker relying on this vulnerability is typically looking for a Web application that fails to prohibit or control execution of uploaded files. PHP 4.0.4 through 5.x are by default vulnerable to this type of attack. Other environments, such as .NET and J2EE, are also vulnerable if they allow file upload and execute capabilities within Web directories.
Figure A is a simple example of a potentially dangerous construct taken from the OWASP Top 10 RC1.
|A dangerous construct|
Tainted input can result in a file being downloaded from another server and executed within the context of the calling application. It can also be used to run local programs on systems vulnerable to local directory traversal.
Local directory traversal is the act of modifying address strings to gain access to other directories in the system on which the Web application is executing. Even if an attacker did not upload a file, knowledge of where common executables reside within certain operating system environments can provide access to scripts and other executables. Figure B is an example of a directory traversal attack.
|Directory traversal attack|
This example, taken from the Web Application Security Consortium's Path Traversal, depicts a traversal attack using special character sequences. "../" was used to traverse up one directory in order to enter the scripts directory. "%00" allows the attacker to bypass any file extension checks. The result of this attack is a view of the file foo.cgi.
If directory permissions are incorrectly configured, the attacker could not only view the file, she could also modify and execute it. Further, malicious scripts uploaded by the attacker can be easily inserted into a directory with broken or nonexistent access controls. It isn't difficult to use this weakness to craft a malicious file execution attack.
Two additional attack vectors within this vulnerability category include:
- Uploading hostile data to session files, log data, and via image uploads
- Uploading malicious files through the use of compression or audio streams that are not properly screened
Defending against malicious file execution
The business impact of exploits against file inclusion weaknesses is directly proportional to the strength of the sandbox or other application isolation platform in place. Although .NET and J2EE applications are usually abstracted from the environment in which they execute, PHP possesses no sandbox/isolation capabilities.
Input validation is another critical element when defending against threats using file inclusion attack vectors. Validation was covered in Part 3 of this series as well as in Web Application Security: Unvalidated Input. Additional defensive measures include:
- Hide server-side filenames from the user
- Disable allow_url_fopen and allow_url_include in the PHP.INI file
- Configure firewalls so that servers can't make new connections to external Web sites or internal systems; consider network segmentation to protect critical or highly sensitive systems and data
- Consider using constants or other types of input to scripts that are not supplied by the user
- Use document type definitions to define allowed document structures
The final word
Malicious file execution is a preventable vulnerability. Coding practices that include input validation and denial of included file execution are a good start, but an effective defense against the execution of unwanted code also includes proper configuration of the underlying infrastructure. Well-designed access controls and firewall configurations support development efforts to protect information assets from an attacker successfully executing a malicious file or achieving expected attack objectives.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.