In my application, users can upload files and store them in a
database.

I would like to prevent them from uploading executable files. The
question is: How do I detect if it is an executable file?

I am not asking about checking the .exe extension, which is easy, and
unreliable because one can easily rename malicious.exe to
prettygirl.jpg.

If you have used gmail attachment, you would know.

I googled, but cannot find anything helpful. Your hint is highly
appreciated.

On Apr 16, 9:18*am, Author <gnewsgr...@gmail.com> wrote:
> In my application, users can upload files and store them in a
> database.
>
> I would like to prevent them from uploading executable files. The
> question is: How do I detect if it is an executable file?
>
> I am not asking about checking the .exe extension, which is easy, and
> unreliable because one can easily rename malicious.exe to
> prettygirl.jpg.

Actually those are usually named prettygirl.jpg.exe, relying on users
leaving the default for not showing known file extensions. Windows
uses the file extension to determine what to do with it, unlike Linux
which has bit settings to determine if it is executable.

Since unwanted files come in so many varieties, *.exe,*.com,*.scr,
*.bat,*.msi, etc. it is difficult to determine from looking at just
the
contents of the file without some context.

Another way would be to determine what files are allowed and check
to see that the uploaded file matches the specs.

--
Geoff

"Author" <(E-Mail Removed)> wrote in message
news:5aebccac-bda5-46d0-b387-(E-Mail Removed)...

> I would like to prevent them from uploading executable files. The
> question is: How do I detect if it is an executable file?
>
> I am not asking about checking the .exe extension

The only way to know for sure is to actually look at the contents of the
file. You wouldn't need the whole file, just enough of the header to
determine whether or not it's an executable. Basically you'd need to upload
the file to a temporary location, inspect it then post to DB if valid or
delete if it's an executable.

You could also use some client side code (javascript, silverlight, java,
etc) to read the file and determine if it's an executable before sending it
to the server. If you did this you'd still need to have the server validate
it to ensure the user didn't bypass the client side check, though.

This site has the file formats for a bunch of different file types.
http://www.wotsit.org/list.asp?fc=5

--
Andrew Faust

On Apr 16, 10:10*am, "Mark Rae [MVP]" <m...@markNOSPAMrae.net> wrote:
> "Author" <gnewsgr...@gmail.com> wrote in message
>
> news:5aebccac-bda5-46d0-b387-(E-Mail Removed)...
>
> > Your hint is highly appreciated.
>
> There is no 100% reliable way of doing this...
>
> You can inspect the PostedFile.ContentType property of the uploaded file and
> check that it's not "application/octet-stream":http://www.w3schools.com/media/media_mimeref.asp
>
> but, as you point out, that can be bypassed by simply changing the file
> extension. E.g. if you rename MyExecutable.exe to MyExectuable.pdf and
> upload it, its PostedFile.ContentType property will be reported as
> "application/pdf", so not much use...
>
> A more robust method involves actually opening the file and reading in the
> first few bytes to parse the header information - this is discussed here:http://forums.asp.net/p/1051895/1488103.aspx#1488103
>
> This is quite a lot of work which, again, is not 100% reliable because not
> all file formats store their header descriptors in exactly the same place..
>
> Only you can decide how secure your app really needs to be...
>
> --
> Mark Rae
> ASP.NET MVPhttp://www.markrae.net

Thank you very much, Mark. I'll definitely read through those
articles.

One possibility would be to attempt renaming the file's extension to one of
the known executable formats (as provided by Geoffrey Summerhayes earlier),
then attempt to start the process.

I'm guessing if you tried to execute an image file as an executable, it
would throw an exception.

If no exception is thrown, the file is probably running, and you should kill
the process and refuse the file.

Again, this is all theory. I haven't written anything that can verify any of
what I've just typed.

Good luck!
~Joe

"Andrew Faust" wrote:

> "Author" <(E-Mail Removed)> wrote in message
> news:5aebccac-bda5-46d0-b387-(E-Mail Removed)...
>
> > I would like to prevent them from uploading executable files. The
> > question is: How do I detect if it is an executable file?
> >
> > I am not asking about checking the .exe extension
>
> The only way to know for sure is to actually look at the contents of the
> file. You wouldn't need the whole file, just enough of the header to
> determine whether or not it's an executable. Basically you'd need to upload
> the file to a temporary location, inspect it then post to DB if valid or
> delete if it's an executable.
>
> You could also use some client side code (javascript, silverlight, java,
> etc) to read the file and determine if it's an executable before sending it
> to the server. If you did this you'd still need to have the server validate
> it to ensure the user didn't bypass the client side check, though.
>
> This site has the file formats for a bunch of different file types.
> http://www.wotsit.org/list.asp?fc=5
>
> --
> Andrew Faust
>
>

On Thu, 16 Apr 2009 06:18:05 -0700 (PDT)
Author <(E-Mail Removed)> wrote:

> In my application, users can upload files and store them in a
> database.
>
> I would like to prevent them from uploading executable files. The
> question is: How do I detect if it is an executable file?
>
> I am not asking about checking the .exe extension, which is easy, and
> unreliable because one can easily rename malicious.exe to
> prettygirl.jpg.
>
> If you have used gmail attachment, you would know.
>
> I googled, but cannot find anything helpful. Your hint is highly
> appreciated.

The only reliable method for doing this is to work in the same way that
the UNIX 'file' command works, and inspect the file.

Many applications in the Windows world do _not_ do this (ironically,
some of them are _security_ applications). They'll block certain file
extensions or certain MIME types, which is just incorrect behavior.

Check out:
http://en.wikipedia.org/wiki/File_%28Unix%29

You can very likely use its database in your application and port the
"file" code into a library for C#. That way you can reliably detect
file types. The database is updated over time, as well, so if you
maintain the database external to your application instead of embedded
as a resource or something, you can deploy updates without rebuilding.

If you just want to catch the basic executable types, look for PE files
(a modification of the UNIX COFF executable format). To catch-all, you
can look for MZ, PE+, NE, and LE executables. If you want to filter
out executables that can be used on systems like most UNIX variants,
look for COFF, ELF, a.out/ZMAGIC/OMAGIC, etc. file types, too.

You then just open the file and detect what type it is based on the
information that you have. You can detect structured executables (and,
for example, whether or not they are CLR binaries or native code) and
data formats as well, so if you want to take the approach of
whitelisting file formats, you can do that as well.

You can't (reliably) catch straight binary programs (e.g., what used to
be known as .COM files for MS-DOS and compatible systems, but is also
the same sort of code that resides in a boot loader or master boot
record). However, these sorts of programs mostly cannot execute on
modern versions of Windows any longer, and do not present a danger
because most of the functionality that they use is prohibited by
Windows itself. Most of these types of programs are written to use
direct I/O or other hardware access.

--- Mike

--
All opinions are not equal. Some are a very great deal more robust,
sophisticated and well supported in logic and argument than others.
--- Douglas Adams

On Thu, 16 Apr 2009 09:38:22 -0700
jp2msft <(E-Mail Removed)> wrote:

> One possibility would be to attempt renaming the file's extension to
> one of the known executable formats (as provided by Geoffrey
> Summerhayes earlier), then attempt to start the process.

Ouch. That would be one hell of an attack vector.

--- Mike

--
Love is Hate. War is Peace. Windows is stable.

"jp2msft" <(E-Mail Removed)> wrote in message
news:A066B74D-23E9-4F52-95B1-(E-Mail Removed)...

> One possibility would be to attempt renaming the file's extension to one
> of
> the known executable formats (as provided by Geoffrey Summerhayes
> earlier),
> then attempt to start the process.

....

Wow.

"Is this a virus?"

"I don't know, why don't you run it and see?"

That's basically what your suggestion amounts to.

On Thu, 16 Apr 2009 13:52:54 -0400
"Jeff Johnson" <(E-Mail Removed)> wrote:

> Wow.
>
> "Is this a virus?"
>
> "I don't know, why don't you run it and see?"
>
> That's basically what your suggestion amounts to.

I know someone who did that once. Actually their goal was to see how
compatible Wine was with real Windows, so they (intentionally!)
snatched a copy of "AntiVirus 2009" virus/trojan/malware.

Lo and behold, their entire ~/.wine directory had to be removed (after
removing data from it) so that they could use their installed Windows
applications again...

--- Mike

--
The problem with quick and dirty, as some people have said, is that
the dirty remains long after the quick has been forgotten.
--- Steve McConnell

> Wow.
>
> "Is this a virus?"
>
> "I don't know, why don't you run it and see?"
>
> That's basically what your suggestion amounts to.

An executable can always be started in suspend mode and then immediately
terminated. It's a brittle approach of course (on several fronts) and I
wouldn't want to buy the stock of any company that would.