0

I have a basic cloud storage solution for files where a user can upload/download files.

I'm storing the files as regular files in the file system like this:

User uploads "launchattack.exe" -> saved as "c:\wwwroot\site\accounts\user1\files\{guid}.bin"

What are the security risk with this? Even if the file would be harmful if executed on the server, is it still safe to store it like this?

Any other countermeasures I should use?

I'm running this on Windows Server for now but might move to Linux. I'm using ASP.NET Core.

I could prepend all files with a header so that they wouldn't be executable in their stored form, but I don't know if that's necessary?

The basic question is if this file could be executed somehow? Can a service like this be used to get malicious code to run on my server? I guess not, but better safe than sorry.

Andreas Zita
  • 101
  • 2
  • 1
    What are you trying to guard against? Enumerate those things and then put in place measures to prevent them. – EEAA May 07 '17 at 12:38
  • Yeah, a list of perverted things one can consider unsafe to store would be nice :) – Anubioz May 07 '17 at 12:53

1 Answers1

0

There are several ways of preventing untrusted executable files from being run in some automated manner on Windows.

1) You can encode the file so that is isn't recognised as an executable file; e.g. as base64 or via encryption (don't rely on anything that encrypts in a transparent manner as that is likely to present the file to Windows in a decrypted form).

2) You can store the file in a data store of some kind, preventing Windows from accessing the file directly, and thus preventing it from being run.

3) Set the ACL on the storage root directory appropriately (allow read, enter directories, create, modify, but deny read+execute on files), enforce inheritance and don't allow your application to change the ACLs.

There are probably other options; on Linux, you can mount the filesystem that the files are stored on with noexec flag, preventing files in that filesystem from being executed. You could run the application in a container (or VM), isolating any effects of malicious programs, etc. (You are, of course, running the application with the fewest permissions possible, aren't you?) You can mark the files as being downloaded from the Internet to prevent them from being run without user intervention.

Of course, everything relies on your server not being compromised in some other manner that allows your protection mechanism to be bypassed. Option 1 is probably the safest, but requires the most CPU to implement as you're doing encoding/decoding on the fly. Option 2 depends on your data store (e.g. database). Option 3 is probably the fastest (and pretty safe) and least resource-hungry of the lot, but relies on you getting the ACL correct and can be bypassed by copying the file out into another filesystem to run.

Pak
  • 919
  • 5
  • 10