- Hey everyone! Hope everyone doing good.
- I am going to explain one of my recent finding on a Private site,Lets call it REDACTED.COM.
- The program is quite a small containing only 5 domains in scope but all the domains have lot of functionalities to test.
- I reported several low hangings and medium severity bugs some become duplicate and some were triaged.Then i stumbled upon an unique vulnerability by chaining small bypasses and we gonna have a detailed writeup of the same.
About the Program:
- The program is a platform for connecting students,teachers and parents.
- Each of them have an unique domain.
- The teachers can connect a student and their parents into their class by use of code or invitation.
- The privilege is as follows Teachers > Parents > Students.
- So There is an Chat functionality to develop an conversation between Teachers and parents.
- I tried to abuse the message box with XSS and as per my initial analysis everything were filtered.
- I Tried with both end as a teacher and as a parent ! no Luck!,Everything were encoded.
- Then i found teacher has an option to download the message history,I intercepted the request and to my shocking i found out the payloads in the messages were not stripped.
- Then i quickly thought that it will execute in the context of the domain and opened the response in browser.
- But it is downloaded as a Text file :(
- We founded our enemy,Its the content disposition header that forces the user to download the content.It is supported by most of the browsers.
- I tried Googling Content-disposition header bypass and thought of executing the contents inline but no chance !
- But if you notice the above the screenshot again the filename is actually Teacher_name_parent_name_messages.txt.
- Now i thought of file extension bypass to eliminate the txt file extension and make it as a HTML file extension with the help of the username since the filename is under control of the clients(Parent and teacher).
- I manipulated the parent username with the hope that i can bypass the txt extension with username.html#,username.html/ and some more,Then i finally succeeded with username.html”.
- The message history file is finally downloaded as a HTML file,Ohh wow so i did it!
- It’s an RFD!(Reflected File download).
Reflected File Download(RFD) is an attack technique which might enables attacker to gain complete access over a victim’s machine by virtually downloading a file from a trusted domain.This web attack technique has been discovered by Oren Hafif, a Trustwave SpiderLabs security researcher in 2014.
- But our vulnerability is not a classic RFD,If it is,It will be closed as P5 by Bugcrowd.
- So now i need to confirm the issue and asked Robert bro(Great advisor of mine) to reproduce the issue in his browser and he said it was not working and the quotes were filtered by underscores in his browser.
- Then we cross checked our browser version and found i was using a bit older version of Firefox.
- We checked several other browsers and found that the quotes were filtered and replaced by underscore.
- I quickly thought this was an issue of Firefox and reported them.
- They filed a bug https://bugzilla.mozilla.org/show_bug.cgi?id=1695068
- They also stated that
Clearly there’s a bug on that site: they should not allow filenames with quotes and then not escape them. My concern here is that browser behavior difference could contribute to cases where sites get into trouble and then just blame Firefox, leaving our users unprotected. We have made exceptions to strict
content-disposition parsing in the past, it might be worth figuring out what heuristic other browsers are using here.
- So i thought it was a bug that can be exploited in older browsers and i know that bugcrowd ASE wont be able to reproduce it.
- So again played around and found something“; is the universal bypass and now the quotes were not converted into underscores in browsers when it reaches the delimiter.
- By changing the username into something.bat“; ,we actually closing the header as filename=”something.bat”; and exclude everything after it.(_messages.txt)
- Hence the filename header value will be filename=”Victim_teacher_Teacher_attacker_parent2.bat”;
- Even though its not an direct bypass but still the header is bypassed.
- With Filename in control,the attacker can bypass the content-disposition header!
- All thanks to the poor handling of filename convention control.!
- The parent and teacher were the attacker and victim respectively.
- The parent send the payload calc.exe and delete’s it(to make the teacher less suspicious).
- The deleted content will also rendered in the message history.
- Since the attacker(parent) has the control of filename using username,the attacker will change their name to parent.bat”;.
- So when the teacher downloads the message history file, it will be downloaded as teacher_name_parent_name.bat and inside the batch file contains the calc.exe command.
- When the teacher(Victim)opens it ,the command will be executed.
- Reported - 03 Feb 2021
- Bounty awarded -28 Apr 2021
- Resolved -13 May 2021