Reflected File Download - A New Web Attack Vector

[SirGod]

1. Introduction

Reflected File Download (RFD) is a web attack vector that enables attackers to gain

complete control over a victim’s machine. In an RFD attack, the user follows a

malicious link to a trusted domain resulting in a file download from that domain.

Once executed, it’s basically "game over", as the attacker can execute commands

on the Operating System level of the client’s computer.

Content:

1. Introduction .........................................................................................................- 3 -

1.1. RFD Attack Flow ............................................................................................- 3 -

1.2. Implications...................................................................................................- 3 -

1.3. RFD Requirements.........................................................................................- 4 -

1.4. RFD & JSON ...................................................................................................- 5 -

2. Detecting RFD ......................................................................................................- 5 -

2.1. Looking for Reflected Input...........................................................................- 5 -

2.1.1. Breaking context for command execution ............................................- 6 -

2.1.2. Injection of command separators and commands................................- 7 -

2.2. Controlling the Filename...............................................................................- 7 -

2.2.1. Adding forwardslashes..........................................................................- 8 -

2.2.2. Adding Path Parameters (the semicolon character)..............................- 8 -

2.2.3. Filenames and Extensions Suitable for RFD...........................................- 9 -

2.2.4. Windows 7 security feature bypass ....................................................- 10 -

2.3. Forcing Responses to Download .................................................................- 12 -

2.3.1. Content-Type & Downloads................................................................- 12 -

2.3.2. The Content-Disposition Header.........................................................- 13 -

2.3.3. Using the Download Attribute of the Anchor Tag ...............................- 14 -

2.3.4. Download Happens, Deal with it!........................................................- 14 -

3. RFD Advanced Exploitation ................................................................................- 15 -

3.1. Exploiting RFD to gain control over all websites in Chrome ........................- 15 -

3.2. Using PowerShell as a ‘Dropper’ .................................................................- 17 -

3.3. Exploiting JSONP Callbacks to Execute Malware .........................................- 18 -

4. Mitigations.........................................................................................................- 19 -

5. Acknowledgments..............................................................................................- 20 -

Full document:

https://drive.google.com/file/d/0B0KLoHg_gR_XQnV4RVhlNl96MHM/view