none
SSIS logging Malicious file upload. My application security team RRS feed

  • Question

  • Malicious file upload.

     

    Observation: Attacker can directly upload an executable file or use a double extension file to upload in to the server.

     

    Impact: The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files browse local resources attack other servers and exploit the local vulnerabilities. This may also result in defacement

     

    Recommendation: The application should validate the type of file that is uploaded by the user prior to accepting and parsing the file.

    Proof of concepts and steps to reproduce:

    1. 1.       Create one ‘sample file with .com’ extension in physical drive.

     2.       In created SSIS package right click on empty place and select logings to create loggings. And click on the Add button under ‘Providers and Logs’ tab as shown bellow

     

    3. Click on the configuration dropdown and select New connection. Then ‘file connection manager editor’ window will open. Click on ‘Browse’ button and select ‘test file .com’ file which is created already. 

    4. Click on Ok button. Now we can see .com file under connection managers.

    Can you please check weather it is really harmful to application?


    Sudhan

    Monday, October 14, 2019 8:06 PM

All replies

  • Hi Sudhan,

    Please refer to Integration Services (SSIS) Logging .

    Best Regards,

    Mona


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Tuesday, October 15, 2019 7:05 AM
  • Hi Madhu,

    Well, in systems protected even at a minimum, the 1st echelon of defence is not getting a malicious file at all (exe or not) in the first place.

    You antivirus solution should have intercepted the file by the time it gets processed.


    Arthur

    MyBlog


    Twitter

    Tuesday, October 15, 2019 1:19 PM
    Moderator
  • Hi Mona,

    I went through Integration Services (SSIS) Logging . But i have not found any information about this issue. Can you please guide with full details 


    Sudhan

    Wednesday, November 13, 2019 7:39 PM
  • Hi Sudhan,

    • It is a very good idea to accept file based data feeds in XML format only.
      XML Schema files (*.xsd) allow to validate XML files.
      SSIS has XML Task to do that: Validate XML with the XML Task
      SSIS has XML Source Adapter to ingest XML files.
      This way no malicious file will be processed by the ETL processes.
       
    • SSIS logging should be done via built-in SSISDB Catalog capabilities into SSISDB database. This way no files malicious or not are involved.
    Wednesday, November 13, 2019 7:50 PM
  • Where did you get these steps?

    The steps you indicate are to CREATE a log file.  This log file is only written by SSIS.  There is no way this would affect SSIS or the server this file is using.

    What exactly is the concern?


    Wednesday, November 13, 2019 7:59 PM