XSS and bypassing an Imperva WAF with JSFuck
We had a problem, where “someone” stored a .torrent file, on a shared area. What a scandal. However, the investigation stalled as Grumpy Admin already took steps to cover his tracks remediate this gross policy violation before the guilty party could be identified. Meh! Never mind, however, grumpy admin boss is strong believer in prevention is better than cure and asked me to find a technical solution this type of problem.
This has the file screening and blocking features of the File Server Resource Manager role that was introduced into Windows Server 2k8 and has got better in the later versions of course name written all over it as the solution to this problem! As with most things, the boss wanted a POC.
So I decided to knock up a area, which has the file block in place, that would prevent .torrent files from being saved to it! Simple!
Now to build my proof of concept for my boss, I decided to once again use my Azure server. Basically since the last blog post where I used it to install WMF 5.0 and mess around with OneGet. I didn’t close the Window and this lends itself to this sort of POC work, no risk to the production environment.
Now like most things in Microsoft you can do things either through the GUI or you guessed it now normally be done via PowerShell – but I will be honest, high level stuff like this is perhaps best done using the GUI! The right tool for the right job that is what I live for!
However, Grumpy Admin, will show you how to use both the GUI and the PowerShell method to create a basic file screen. The role has a lot more depth, I am just touching the surface. On my MCSA exams, there was some stuff about this role. So it worth reading up and getting to grips with it!
Right – So my challenge then is to Install and Configure an area that will block you from writing .torrent to it and log the violation to the event log!
First thing first, we need to install the role on the server – Again we can either use Server Manager or PowerShell. Grumpy Admin has a soft spot for PowerShell at this moment in his career so he will be using the install-windowsfeature cmdlet. To install the role, including management tools of course!
I am not a smart person, in fact I’m am actually kind of stupid… I can’t remember every feature name to every role and stuff like that. I think it is a waste of time. Aslong as you sort of know what you are looking for or want to do. You can use PowerShell help or Google to do things! So I do a get-windowsfeature – which lists all the roles and features in Windows for me.
That list everything, If I wanted to I could use wild cards to help narrow down my search for the right role using keywords etc.
So using our PowerShell Kung-Fu skills we know that the roles we need are RSAT-FSRM-Mgmt for the admin tools and the actual server role is called FS-Resource-Manager
So all we need to do now is install-windowsfeature
Now these windows features/roles are install – I can now get on and configure this proof of concept.
Right I need an area that is going to hold the data – So I could just create a directory but I want to create a whole new volume a VHD for this user data.
Now – this server doesn’t have the hyper-v role – so I can’t really or easily create a VHD file in PowerShell or at least, I haven’t found a quick way in PowerShell… So any hints and tip would be most welcome!
So I drop back to the good old GUI to create a VHD file which I will be using as my storage area for the VHD creation.
I create a simple 100GB dynamically expanding VHD – I could continue to use the GUI and I expect at this stage it would be fast to configure this VHD with the GUI. But as it has made me grumpy in the fact that I wasn’t able to create the VHD in PowerShell. I hate feeling dumb! I will format and initialize the disk and partition the disk using PowerShell. After all PowerShell is a large portion of this blog at this current time.
So we know the number of the disk is number 2
We need to initialize the disk first before we can do anything else on it.
initialize-disk -number 2
new-partition -disknumber 2 -usemaximumsize -assigndriveletter $true
Format-Volume -FileSystem NTFS -DriveLetter e -NewFileSystemLabel “Data”
done 🙂 I know I could of used the pipeline, but I wanted to do it step by step. We now have a formatted drive in Windows that we can use as our area for file screen….I am still grumpy, I couldn’t create and attach the original VHD file – without having the hyper-v role installed….
Right now, let’s just back to the GUI and get this file manager file blocking thing sorted. So I launch via server manager the FSRM administration tool. I expand the file screen section! And then I right click Create File Screen…
Next I select the file screen path, which will be in our case the E: drive – if I do it at the drive level it will be easier to deal with 🙂
Next I will select Custom Properties and this bring up the window. Which allows me to do some more in-depth configuration of the file screen.
I want it to be Active Screening, this will prevent users, from saving the file to the location in the first place. No nasty files in my data area – thank you very much. Next I have the file group’s selection box
I will call this group a very original and descriptive name of “Torrents” – I then select my newly created torrent file group and then check the other options out… well if people are doing naughty things, let’s catch them….So I configure the Event Log tab.
You could get it to execute a command as well when it detects a file has been saved with the file… this has a lot ofpower with the right imagination!
Then there is also a reporting tab! This could be useful for managers and the likes… but we shall ignore this, we just want a basic proof of concept up and running! I am happy with having it just logged to the event logs – so I click ok and close that!
Then I review the create file screen dialog box and then click create 🙂
It will prompt you to save it as template – This is your choice. I didn’t create a template, I just saved the custom file screen instead. This just a basic POC to demo the feature to someone who should already know all about the feature!
At the most simple level, I now have an area where you can’t save .torrent files… now let check to make sure it works as intended. That will be the proof!
Yes – it does and it also adds an entry in to the event log – I tried to create a .torrent file via notepad and I also tried to copy one across in to the area. The create file action logged the entry to the event log. On the copy operation Windows just prevent the action from taking place.
This was exactly what the boss wanted and is built right in to Windows, I had a feeling he thought we were not going to be able to do anything about this. These Windows features when combined with folder redirection for home drive could be very powerful. Just another string to the defence in depth mythology and might save some hard drive space. IE. If you don’t have a business need to store .mp3 or .avi files in your user’s home drives. Let’s prevent them from doing it right! Right so let’s recap
We create a new file screen
we created a new file group
Now that was easy using the GUI let’s, undo everything and see if we can do this in PowerShell! Right so let’s first do a get-command *FSRM* – this will tell us what cmdlets we have to work with!
Ace – now let’s have a look, right the first thing I think I might want to do is to recreate our torrent file group. This seems like a logical place to start. So let’s do a – that is right you guessed it a get-help on the new-fsrmfilegroup cmdlet! This time I am going to use the –example flag! From this I can determine that I want to do the following!
new-fsrmfilegroup -name “Torrents” -includepattern @(“*.torrent”)
Now, if I quickly switch back to the GUI, I should be able to see this new File Group, and yes I can – excellent. Now all I need to do is create the file screen…. again let’s do a
get-help new-fsrmfilescreen -example
This allows me to construct the following line
new-fsrmfilescreen -path “e:\” -IncludeGroup “Torrents”
It worked! And let’s check the GUI and our new screen is in place – I repeat the tests from earlier and all is well and successful in blocking Torrent Files from being saved down to the data area 🙂
However, what didn’t I do??? I didn’t configure the alerting options….this gives us the chance to play with the
I decided to be a big risky and just enter the command to see what it does, it prompts for a path and I just enter the path “E:\” and it offers a warning. Excellent now that is deleted, I can start again and recreate the file screen with the correct properties. IE log to the event log!
However, I need a bit more information this time so I don’t go wrong again! So I once again resort to my best and all time favourite command the good old get-help command and we look at the full help for the new-fsrmfilescreen cmdlet
It looks like we need to configure the notification action… Now with this notification object is in a variable. We can recreate our file screen and pass that object as the -notification parameter and we should be good – I also add in a description as I missed that as well – Grumpy admin isn’t perfect!
I see from the examples in get-help that I can use variables in emails and warning such as the [File Owner] variable – So I slip this in to my body text message. This should provide some accountability.
$settings= New-FsrmAction -Type Event -EventType Warning -Body “[File Owner] tried to save a torrent file”
new-fsrmfilescreen -path “e:\” -IncludeGroup “Torrents” -Description “Block Torrents” -Notification $settings
The event log action, worked, however, grumpy admin must have made a mistake somewhere as it didn’t substitute the file owner name like in the example. Not being perfect makes me grumpy! But the concept works! That what to take away from this!
So just to recap, my boss asked me to prevent whoever it was (no ideas honest) from downloading and leaving torrents on the shared area. I recommended that we introduce the file screen feature from the FSRM role. I was asked to do a proof of concept just to demonstrate it to him. So I did this both via the GUI and via PowerShell.
After looking in to my little variable mistake in the event log, it looks like the help files may be wrong -which just makes me grumpy!
One of the example uses [File Owner] where as it should be either [source file owner] or better accountability the [source io owner] variables.
Grumpy admin is far too lazy to repeat his screen captures, with the correction in and it shows you that mistakes are very common! So forgive the error please!