Nytro Posted November 6, 2014 Report Posted November 6, 2014 Reflected File Download - A New Web Attack Vector PLEASE NOTE: As promised, I've published a full white paper that is now available for download:White paper "Reflected File Download: A New Web Attack Vector" by Oren Hafif. On October 2014 as part of my talk at the Black Hat Europe 2014 event, I presented a new web attack vector that enables attackers to gain complete control over a victim’s machine by virtually downloading a file from trusted domains. I decided to call this technique Reflected File Download (RFD), as malware can be "downloaded" from highly trusted domains such as Google.com and Bing.com without ever being uploaded. As long as RFD is out there, users should be extremely careful when downloading and executing files from the web. The download link might look perfecty fine and include a popular, trusted domain and use a secure connection, but users still need to be wary. Look at the following link for example. Up until a few months ago, it could have been used to steal ALL cookies from your browser, perform actions on your behalf and steal emails from your Gmail inbox:https://www.google.com/s;/ChromeSetup.bat Google fixed the vulnerability so that the link above now only downloads a harmless text file. RFD, like many other Web attacks, begins by sending a malicious link to a victim. But unlike other attacks, RFD ends outside of the browser context: 1) The user follows a malicious link to a trusted web site. 2) An executable file is downloaded and saved on the user’s machine. All security indicators show that the file was “hosted” on the trusted web site. 3) The user executes the file which contains shell commands that gain complete control over the computer. Figure 1 – The three steps attack flow of reflected file downloadFor a Reflected File Download attack to be successful, there are three simple requirements: 1) Reflected – Some user input is being “reflected” to the response content. This is used to inject shell commands. 2) Filename – The URL of the vulnerable site or API is permissive and accepts additional input. This is often the case and is used by attackers to set the extension of the file to an executable extension. 3) Download – The response is being downloaded and a file is created “on-the-fly” by the Web browser. The browser then sets the attacker-controlled filename that was parsed in requirement 2 above. Figure 2 – A service is vulnerable if the three RFD requirements are metArticol complet si video: Reflected File Download - A New Web Attack Vector - SpiderLabs Anterior Quote
