RFD Vulnerability And Content-Disposition Header Bypass Story!

Hola!
  • The program is quite a small containing only 5 domains in scope but all the domains have lot of functionalities to test.
  • I reported several low hangings and medium severity bugs some become duplicate and some were triaged.Then i stumbled upon an unique vulnerability by chaining small bypasses and we gonna have a detailed writeup of the same.

About the Program:

  • Each of them have an unique domain.
  • The teachers can connect a student and their parents into their class by use of code or invitation.
  • The privilege is as follows Teachers > Parents > Students.

The Vulnerability:

  • I tried to abuse the message box with XSS and as per my initial analysis everything were filtered.
  • I Tried with both end as a teacher and as a parent ! no Luck!,Everything were encoded.
  • Then i found teacher has an option to download the message history,I intercepted the request and to my shocking i found out the payloads in the messages were not stripped.
[Interception Screenshot]
  • But it is downloaded as a Text file :(
[Downloaded as text file]
[The enemy]
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition
  • I tried Googling Content-disposition header bypass and thought of executing the contents inline but no chance !
  • But if you notice the above the screenshot again the filename is actually Teacher_name_parent_name_messages.txt.
  • Now i thought of file extension bypass to eliminate the txt file extension and make it as a HTML file extension with the help of the username since the filename is under control of the clients(Parent and teacher).
  • I manipulated the parent username with the hope that i can bypass the txt extension with username.html#,username.html/ and some more,Then i finally succeeded with username.html”.
[Extension Bypass]
[Downloaded as HTML file]

Reflected File Download(RFD) is an attack technique which might enables attacker to gain complete access over a victim’s machine by virtually downloading a file from a trusted domain.This web attack technique has been discovered by Oren Hafif, a Trustwave SpiderLabs security researcher in 2014.

Confirmation:

[confused]
  • We checked several other browsers and found that the quotes were filtered and replaced by underscore.
  • I quickly thought this was an issue of Firefox and reported them.
  • They filed a bug https://bugzilla.mozilla.org/show_bug.cgi?id=1695068
  • They also stated that

Clearly there’s a bug on that site: they should not allow filenames with quotes and then not escape them. My concern here is that browser behavior difference could contribute to cases where sites get into trouble and then just blame Firefox, leaving our users unprotected. We have made exceptions to strict content-disposition parsing in the past, it might be worth figuring out what heuristic other browsers are using here.

  • So again played around and found something“; is the universal bypass and now the quotes were not converted into underscores in browsers when it reaches the delimiter.

But How?

Content-Disposition header Bypass.
  • Hence the filename header value will be filename=”Victim_teacher_Teacher_attacker_parent2.bat”;
  • Even though its not an direct bypass but still the header is bypassed.
  • With Filename in control,the attacker can bypass the content-disposition header!
  • All thanks to the poor handling of filename convention control.!

Attack scenario

  • The parent send the payload calc.exe and delete’s it(to make the teacher less suspicious).
Deleted content
  • Since the attacker(parent) has the control of filename using username,the attacker will change their name to parent.bat”;.
  • So when the teacher downloads the message history file, it will be downloaded as teacher_name_parent_name.bat and inside the batch file contains the calc.exe command.
  • When the teacher(Victim)opens it ,the command will be executed.

Report Timeline:

  • Bounty awarded -28 Apr 2021
  • Resolved -13 May 2021

Thanks for reading!

Instagram- https://www.instagram.com/username_.not._available/

Linkedin- https://www.linkedin.com/in/kabilan-s-4b8a90173/

--

--

--

Bug hunter | Pentester | Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Talking with Hacken CEO, Dyma Budorin: a Podcast Recap

How to make Security Training fun

CUCU the father of meme tokens is excited to announce the details of its CUCU token airdrop.

The Economics and Future of E-commerce Fraud in India

Annual Vendor Assessments are Dead: Get Dynamic

Encryption

Encryption

POLESTAR FINANCE $PSF- 1% charity funds will go to Covid 19 relief funds

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kabilan S

Kabilan S

Bug hunter | Pentester | Security Researcher

More from Medium

VulnHub PumkinGarden CTF Walkthrough

TryHackMe-Gotta Catch’em All!(Pokemon)- Walkthrough by Subhadip Nag(MrL0s3r)

Remote HTB

TryHackMe | CTF | Walkthrough | Raven 2