back to article Watch: Nasty JPEG pops corporate locks on Windows boxes

Penetration tester Marcus Murray says attackers can use malicious JPEGs to pop modern Windows servers, to gain expanded privileges over networks. In a live hack set down for RSA San Francisco this week, the TrueSec boffin shows how he used the hack to access an unnamed US Government agency that ran a buggy photo upload portal …

  1. fortran

    Re: What’s going on here?

    > Some of your technology may be out of date, which means this video won't play properly. Please install Flash or upgrade your browser.

    My browser is up to date. Flash has been removed because it is a security nightmare, just like the fine people at TheRegister recommended.

    1. gollux

      Re: What’s going on here?

      Heh, YouTube knows how to use HTML 5, but the Security Researcher doesn't... Amusing.

      1. Alistair 3

        Re: What’s going on here?

        It's on Vimeo not YouTube and I doubt the researcher was involved in the decision on how the web conference was to be recorded and eventually shared.

  2. Mark 85

    So he did a live hack into a government server?

    I hope he had written permission in triplicate lest he be accused of being North Korean and making an illegal entry into a computer system (or whatever the law of the day concerning this).

    1. Preston Munchensonton
      Black Helicopters

      Re: So he did a live hack into a government server?

      Strangely enough, I'm sure no one will ever hear from him again after his pwnage announcement.

      1. Fatman

        Re: So he did a live hack into a government server?

        I bet he is learning new stress positions at Club Gitmo, courtesy of the Land of the Free Government Bought and Paid For by Special Interests.

  3. Anonymous Coward
    Anonymous Coward

    Tried it, didn't work

    I just tried that hack on nsa.gov and nothing happened, I think.. hold on, someone's at the door..

    1. Anonymous Coward
      Anonymous Coward

      Re: Tried it, didn't work

      Odd... I just tried and it wor

  4. kain preacher

    Tried it, didn't work

    I hope your computer is not near a widow with the curtains open.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tried it, didn't work

      I've closed the curtains, the widow says she doesn't mind....

  5. Anonymous Coward
    Anonymous Coward

    So in summary

    servers compromised due to piss poor config?

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: So in summary

        Well, yes and no. How far away from default do you have to be before a box becomes secure?

        I would have preferred to have a safe box to start with and then gradually add/enable things until it does what it needs to do, but not more. This strikes me as a shining example of what happens when you come from the opposite side..

        1. Sir Runcible Spoon

          Re: So in summary

          Also of note in this presentation was that the original site (reportedly a government site although we have no proof of that) was running a default password on the back end server, which was also handily stored in a backup folder in plain text.

        2. Anonymous Coward
          Anonymous Coward

          Re: This strikes me as a shining example of what happens when you come from the opposite side..

          So you've clearly not installed the latest windows servers. They come with very little enabled by default.

          Try and keep up if you're going to keep sniping.

  6. Colin Miller

    extention hiding?

    Hold a tick,

    does this need the server admin to open what s/he thinks is foo.jpeg, but is really foo.jpeg.apx ? I'd suspect that most admins turn of extension hiding in File Explorer as soon as Windows is installed. Does it still work in that case?

    1. Anonymous Coward
      Anonymous Coward

      Re: extention hiding?

      No need for the server admin to do anything. When the hacker previews the nasty jpg, the because the web server thinks it's an aspx it tried to interpret it as such which is why it spews mostly binary onto the page apart from the active content.

      (this is nothing to do with extension hiding and/or tricking end users to click on things)

  7. This post has been deleted by its author

    1. Sir Runcible Spoon

      fyi all the datestamps from the video presentation were from August last year.

      Still interesting to see how simple it is to circumvent the firewalls just by hijacking existing processes. I didn't know any details about metasploit before this video.

    2. Anonymous Coward
      Anonymous Coward

      @1980s_coder - +1 for you sir!

      Your the first person to point out the obvious, whilst the webserver gets the all the blame, ultimately a web server only does what its told, responsibility for this rests predominantly with the developer who wrote the website / application in the first place, for not adding sufficient checking on file extensions or file content..

  8. BrentRBrian

    Ensuring ... ensuing ...

  9. David Nash Silver badge

    Nasty JPG

    So the so-called "Nasty JPG" of the title is not at all, it's a nasty script pretending to be a JPG.

    Did I get that right?

    So similar in concept to a spam email containing "open_me.doc.exe"?

    1. JeffUK

      Re: Nasty JPG

      It's a bit more subtle than that, but not much more. I think it's a nasty script that is also a valid JPEG. so if you check that the use has uploaded a valid JPEG, it works, but it also executes as a valid .aspx.

      I think..

    2. Fred Flintstone Gold badge

      Re: Nasty JPG

      So similar in concept to a spam email containing "open_me.doc.exe"?

      Yes, but still a bit more evolved than the Irish virus :)

      1. bpfh
        WTF?

        Re: Nasty JPG

        So this is just a plain upload issue. if the server side script took the time to make sure that the file extension was really .jpg (or even renamed the file to <uniqueid>.jpg); then when Mallory goes and hits the new url with a browser, all they get is the text of their script spat out at them in the viewport. Webservers should not be executing random binary data, just reading it as standard input and sending to the standard output...

        1. Sir Runcible Spoon

          Re: Nasty JPG

          The other (important) aspect of the exploit was that once uploaded, you could view the uploaded image, forcing the web server to run the code.

          It was also quite instructional on how to leverage a basic shell once obtained to delve deeper into the network. Lots of simple things could stop this exploit going any further than the DMZ if you take the time to look at how it's done.

          1. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      Re: Nasty JPG

      No you didn't get that right. The JPG was a JPG. They had added some aspx code into the comment of the JPG metadata. That's why it was validated as a real image file and the server allowed the upload.

      The problem (in this case) was that the web app wasn't checking the file extension so it allowed the jpg to be uploaded (and saved) even though it had been renamed with an aspx extension (thus allowing the researcher to force the web server to interpret it as such upon preview).

      This is nothing to do with extension hiding and tricking end users with thing like open_me.doc.exe

  10. Anonymous Coward
    Anonymous Coward

    Article

    Interesting article but, dudes, invest in some proofreading.

  11. Anonymous Coward
    Anonymous Coward

    WTF? Happy birthday, Windows

    I quote: Microsoft introduced an operating environment named Windows on November 20, 1985

    So, let me get this straight. We're just shy of 30 years further and those *cough* experts *cough* in Redmond still have a problem with this? Honestly?

    I am fully convinced that it is possible to secure Windows properly (I know some people who are rather good at this), but why the hell is it still so much hard work? This is basic stuff.

    1. Anonymous Coward
      Meh

      Re: WTF? Happy birthday, Windows

      "but why the hell is it still so much hard work? "

      It's not EMET will kill of many (not all) exploits with a few clicks.

    2. Anonymous Coward
      Anonymous Coward

      Re: but why the hell is it still so much hard work?

      It's not, this is a case of opening up the server to abuse rather than it not being locked down by default. Note the "password in a text file" bit, that doesn't happen automatically, some "admin" put that there....

    3. Anonymous Coward
      Anonymous Coward

      Re: WTF? Happy birthday, Windows

      "So, let me get this straight. We're just shy of 30 years further and those *cough* experts *cough* in Redmond still have a problem with this? Honestly?"

      This is not a Windows issue. The developers have gone to some impressive levels of stupidity to enable this exploit....

  12. Tom 13

    Dear El Reg

    Could you kindly hire some reporters who speak English (or at least American) as their first language?

    I'm getting tired of trying to parse nonsense like this:

    that is true because they have Linux server you usually use Windows clients for connect to them

    Some uploading portals so weak he says, malicious dynamic content will be accepted merely because it carries a .jpg extension.

    1. Lewis R

      Re: Dear El Reg

      All your base are belong to us...

  13. Paul Hovnanian Silver badge
    Linux

    Server Permissions

    So what user is this server running as? On my Linux boxen, Apache has its own user account with no special (admin) privileges. So even if someone manages to feed it something that it chokes on (and even with Linux/Apache there is a small possibility) the malicious code it is tricked into running can't get into other subsystems. Particularly if that same box runs a domain controller. With Windows and a clueless admin* this appears not to be the case. Worse yet, Microsoft seems to think that doing some user level stuff in kernel modules is a Good Idea. For performance, of course.

    *Sometimes, one doesn't have a choice with Windows. Given that everything has a web based administrative interface (Windows admins can't be buggered to log on and use a command line), IIS pretty much has to run with admin (root) priveledges.

    1. Anonymous Coward
      Anonymous Coward

      Re: Server Permissions

      On Windows the Web Server and .Net (aspx files) would run as a Network Services account with minimal rights.

      If you look at website defacement statistics you will see that even after adjusting for market share, you are about 4 times more likely to be remotely hacked running Linux / Apache than Windows / IIS.

      To correct your various factual errors:

      Windows Server installs without a GUI by default

      Pretty much zero Windows admin is web based.

      Most administration is via Powershell (Like a UNIX shell but rather more secure and powerful).

      IIS does not require admin rights at all.

  14. Tom 64

    Is this even English?

    Such poor grammar....

    SRLSY, do you even English?

  15. Lewis R

    Only on Windows...

    would a file with a .aspx extension have any meaning. on my OS/2, NetWare, and Linux boxes, .aspx is just a four-letter extension, and not executable. Setting that aside, my firewall would stop such an upload (if/when/as properly configured). Oh, well. Now I know why I don't expose windy boxes to the outside world (the glass breaks too easily).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like