WTF anno 2005: Secure File Downloading.

Posted on January 9, 2012 by Trygve Vea

When I started as a system administration at my old job, one of my first tasks was to help a consultant – from a company I won’t name – with their proprietary solution for “Secure Internet”. My workplace needed a secure way to download files, and their solution should cover all this… in various interpretations of “secure”.

The design was fairly simple:

  1. Clients connect to a terminal server (being Citrix or RDP, it doesn’t really matter).
  2. The Internet connected session can’t access the secure network, but is able to store files on a temporary home directory in the DMZ.
  3. The files in the DMZ are picked up and transmitted by email to a special account.
  4. On the MS Exchange server, a trigger reacts on incoming emails to this particular account, and then writes the attachment to the user’s home directory.
  5. The user can access the downloaded files inside the secure network.

If we say that it’s acceptable for the user to deal with untrusted files downloaded from the Internet, this is a fair design. It does the job. However, this is not what I wanted to present to you. I think it’s more interesting to look at how the file-transfer is performed.

When the user saves his file at his temporary home directory in the DMZ, a scheduled job runs and picks up the file. The same job constructs an email formatted like this:

FROM: filelockaccount@acme.org
TO: filelockaccount@acme.org
SUBJECT: \\fileserver\home$\username\filelock\iloveyou.exe
ATTACHMENT: iloveyou.exe

On the Exchange server, the trigger picks up the email, and writes the attachment to the path defined in the subject. The Exchange server ran this job with administrative privileges.

To see whether this could be exploited, I used an Internet connected computer outside the network – just connected via ordinary ADSL. I made Outlook Express use the ISP’s SMTP-server, and made an email formatted like this:

FROM: filelockaccount@acme.org
TO: filelockaccount@acme.org
SUBJECT: \\somewebserver\c$\OMGLOLZ.txt
ATTACHMENT: OMGLOLZ.txt

A couple of minutes later, I could see OMGLOLZ.txt in the root of C:\ on somewebserver. We also tested whether we had access to potentially execute malicious code… and since the magic process on the Exchange server ran with administrative privileges, we definitely could.

Turns out the secure way of downloading files from the Internet could be used to compromise server security in the entire network.

The hole were patched shortly after, and I got my attaboy.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>