Unrestricted File Upload Simplified
So first of all let’s go ahead define an unrestricted file upload. What does that mean? An unrestricted file upload can come in a few different forms, because it is a fairly broad term, such as:
Ability to upload malware or malicious tools
Ability to upload excessively large files
Ability to upload files of a different type than expected
For even more reading on this particular vulnerability OWASP has a great write-up here: OWASP Unrestricted File Upload
It has been my experience that the most common type of unrestricted file upload falls under the third category. That third category also usually is required for the first category to work as you need to be able to upload your tools or malware without their true type being validated. So now that we have defined what this term means let’s talk about the ramifications, and why we should care, as these issues may be rated fairly low risk often times requiring authentication, or being found on an internal host that is not simple to access.
Well to start with I gave a talk a couple summers back where an unrestricted file upload was part of rooting an ATM. A link to that is available here: RVASEC 2018: From Web App to ATM But fortunately that is not a common scenario.
So why do we care when a pentester identifies that they can upload large files, or executables with a different extension to a server via a profile image upload? Surely, since they can’t access it directly through my app it doesn’t matter right? Well, yes that lowers the risk. But, no that does not remove it and make it negligible. Let’s think for a minute about how attackers use various avenues during infiltration of a network, or exfiltration of data. Any single point of failure can be used to get data out of the network, or bring in tooling to further an attack. Yes, we know there are easier ways in many cases like email, basic HTTP, and so on. But again, we are looking to evaluate ALL risks to a given application, and provide information on those risks to our clients.
Now lets’ take this one step further, and think about an attack against a more seasoned foe.
Maybe they have DLP in place? Does the target have a 24×7 SOC monitoring for you downloading tools through their web proxy? Now think is that SOC watching those trusted internal host’s that transfer files all day? A lack of file size checks can lead to some pretty obvious issues. In addition to assisting in moving larger files around with your trusted host your disk space, or cloud storage buckets, are being impacted. This can lead to a Denial of Service (DOS) condition or financial impact! Lastly, if there is no AV, or some kind of file whitelisting depending on what your use case is, monitoring the disk then there is nothing preventing the upload of malware. This is your last line of defense if the other controls aren’t in place so don’t neglect it!
Ultimately, that is why we still report on these, and that is why these issues, even though commonly deemed a low or medium severity, still matter. YES they should be fixed. So how DO we go about fixing those anyways?
Remediation Depending on what the root issue is there are a few remediation paths available here. Ultimately each of these items should be in place for your file upload methods:
Checking file extension or content-type is not sufficient. An attacker controls these elements. Client side extension checking is even worse as a security control. Always validate file type server side by checking the file signature AKA the magic number.
Validate that the file’s size is less than a reasonable maximum for the application and method’s purposes. Do profile images needs to be more than 10MB? CSV’s over 5MB? It depends on your use case, but don’t let your drives get filled up!
Monitor the disk you are storing these uploads on with some form of anti-virus, while they have their limitations, being able to detect common tools or malware is still beneficial. So now we know more about what an unrestricted file upload is, why it matters, and how to fix it. So let’s work together to get these issues out of the apps running inside of our networks!
Are you looking for a security assessment for your network or applications? Send us an email at info@mccormackcyber.com