[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Attack Technique: File Download Injection

From: "Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Attack Technique: File Download Injection
Date: Mon, 7 Apr 2008 20:38:17 -0700
------=_Part_15862_17872037.1207625897219
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

This is really nice, Jeff.

This is ultimately a well researched, very easy and effective use of HTTP
Control Character injection, which is what most of the world means when
they say "HTTP Response Splitting" -- including every automated test
I've seen for this.

This also points out that we should really revisit "HTTP Response Splitting"
and break it down into all the real & useful attack variants.

Amit's excellent paper is too complicated for the layman. Heck, it was
too complicated for me. (No jokes from the rest of the crowd)

"response splitting" is a far-fetched attack variant under most normal
conditions, but you can do a lot of things like you describe here. This
gets REALLY BAD when you start dealing with intermediary caching
proxies, or 3rd party Akamai-like providers that cache updated content
dynamically & host on their bandwidth (versus their customers' bandwidth).

I'm not talking theory. I've proved this IRL in the last year.

We started a paper on our research internally at WhiteHat, but never
completed it unfortunately due to people bandwidth. I'll ping folks
internally and see where we are at with this.

Your work is timely and very well written up.

We need a master attack node of > HTTP Protocol Manipulations

with subsets of

> HTTP Control Character injection

>> HTTP Header Injection, Download Injection, RS, etc etc

also, as an aside

>> HTTP Verb manipulations

This hasn't been well documented, and there's not much to
it, but you still find code that pulls data/strings arbitrarily
out of some generic session or request object, when the
validation or security routines are bound explicitly to a
specific HTTP verb or request construct (e.g. only validates
Poststring data on POST, and not Querystring params)

Yet the code parses that stuff out of the request or session
object after validation, leading to HTTP Control Character
injection, XSS, SQLi, etc etc.

That would add a few new attack vectors to your examples
below for sure.

Again, great work, thanks for documenting so well and
sharing it with us!

Cheers,


-- 
-- 
Arian Evans, software security stuff

reformed hacker turned animal rights activist to meet vapid chicks concerned
with those tasty animals


On Mon, Apr 7, 2008 at 12:22 PM, Jeff Williams <
jeff.williams@aspectsecurity.com> wrote:

> File Download Injection
> =======================
>
> Affects most web application platforms, including Java, .NET, PHP, Cold
> Fusion.
>
> This attack involves the use of header injection, particularly the
> Content-Disposition header, to subvert HTTP responses from trusted
> domains. Attackers can use this technique to inject a malicious file
> download with an arbitrary filename (.html, .exe, .swf, .mov, .msi,
> .vbs, etc...) and arbitrary file content. Since the attack subverts an
> existing HTTP request, both the URL and the downloaded file use a
> trusted domain.
>
> Some variants of the attack are surprisingly simple:
>
>   http://yourcompany.com/download?fn=attack.bat%0d%0a%0d%0awordpad
>
> When the response for this attack arrives at the victim's browser, the
> malicious file is named "attack.bat" and contains the command "wordpad"
> inside. The injected file is opened as if it was a legitimate download
> from the trusted domain. The attacker can inject any filename (.exe,
> .bat, .html, .pdf, .sh, etc...) with any file content, and the browser
> just opens it as it normally would - sometimes with a "run", "save",
> "cancel" dialog and sometimes not.
>
> Susceptible header injection vulnerabilities are frequently found in
> file download pages, but could be anywhere a web application uses
> untrusted input in a response header. This type of vulnerability can
> exist in virtually any web application environment, including Java, .NET
> and PHP.
>
> This research builds on previous work in header injection and malicious
> file execution, and adds the ability to make the attack come from
> trusted domains. Although file download injection attacks are sent
> through the vulnerable application on their way to the browser for
> execution, they go beyond cross site scripting (XSS) as any file type
> can be injected. The attack is also different from HTTP response
> splitting as no second response is generated. Instead, the content of
> the original response is replaced.
>
> The paper examines various aspects of the attack, including both stored
> and hidden variants and issues related to Content-Length. Some advanced
> techniques for bypassing naive defenses are discussed. Finally, the
> requirements for a strong defense are presented. Organizations are
> encouraged to find and eliminate header injection vulnerabilities based
> on the severity of this attack.
>
> Full details in the white paper here:
> http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf
>
> --Jeff
>
> Jeff Williams
> Aspect Security
>
>
>

------=_Part_15862_17872037.1207625897219
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

This is really nice, Jeff.<br><br>This is ultimately a well researched, very easy and effective use of HTTP<br>Control Character injection, which is what most of the world means when<br>they say &quot;HTTP Response Splitting&quot; -- including every automated test<br>
I&#39;ve seen for this.<br><br>This also points out that we should really revisit &quot;HTTP Response Splitting&quot;<br>and break it down into all the real &amp; useful attack variants.<br><br>Amit&#39;s excellent paper is too complicated for the layman. Heck, it was<br>
too complicated for me. (No jokes from the rest of the crowd)<br><br>&quot;response splitting&quot; is a far-fetched attack variant under most normal<br>conditions, but you can do a lot of things like you describe here. This<br>
gets REALLY BAD when you start dealing with intermediary caching<br>proxies, or 3rd party Akamai-like providers that cache updated content<br>dynamically &amp; host on their bandwidth (versus their customers&#39; bandwidth).<br>
<br>I&#39;m not talking theory. I&#39;ve proved this IRL in the last year.<br><br>We started a paper on our research internally at WhiteHat, but never<br>completed it unfortunately due to people bandwidth. I&#39;ll ping folks<br>
internally and see where we are at with this.<br><br>Your work is timely and very well written up.<br><br>We need a master attack node of &gt; HTTP Protocol Manipulations<br><br>with subsets of <br><br>&gt; HTTP Control Character injection<br>
<br>&gt;&gt; HTTP Header Injection, Download Injection, RS, etc etc<br><br>also, as an aside<br><br>&gt;&gt; HTTP Verb manipulations<br><br>This hasn&#39;t been well documented, and there&#39;s not much to<br>it, but you still find code that pulls data/strings arbitrarily<br>
out of some generic session or request object, when the<br>validation or security routines are bound explicitly to a<br>specific HTTP verb or request construct (e.g. only validates<br>Poststring data on POST, and not Querystring params)<br>
<br>Yet the code parses that stuff out of the request or session<br>object after validation, leading to HTTP Control Character<br>injection, XSS, SQLi, etc etc.<br><br>That would add a few new attack vectors to your examples<br>
below for sure.<br><br>Again, great work, thanks for documenting so well and<br>sharing it with us!<br><br>Cheers,<br><br><br>-- <br>-- <br>Arian Evans, software security stuff<br><br>reformed hacker turned animal rights activist to meet vapid chicks concerned with those tasty animals
<br><br><br><div class="gmail_quote">On Mon, Apr 7, 2008 at 12:22 PM, Jeff Williams &lt;<a href="mailto:jeff.williams@aspectsecurity.com";>jeff.williams@aspectsecurity.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
File Download Injection<br>
=======================<br>
<br>
Affects most web application platforms, including Java, .NET, PHP, Cold<br>
Fusion.<br>
<br>
This attack involves the use of header injection, particularly the<br>
Content-Disposition header, to subvert HTTP responses from trusted<br>
domains. Attackers can use this technique to inject a malicious file<br>
download with an arbitrary filename (.html, .exe, .swf, .mov, .msi,<br>
.vbs, etc...) and arbitrary file content. Since the attack subverts an<br>
existing HTTP request, both the URL and the downloaded file use a<br>
trusted domain.<br>
<br>
Some variants of the attack are surprisingly simple:<br>
<br>
 &nbsp; <a href="http://yourcompany.com/download?fn=attack.bat%0d%0a%0d%0awordpad"; target="_blank">http://yourcompany.com/download?fn=attack.bat%0d%0a%0d%0awordpad</a><br>
<br>
When the response for this attack arrives at the victim&#39;s browser, the<br>
malicious file is named &quot;attack.bat&quot; and contains the command &quot;wordpad&quot;<br>
inside. The injected file is opened as if it was a legitimate download<br>
from the trusted domain. The attacker can inject any filename (.exe,<br>
.bat, .html, .pdf, .sh, etc...) with any file content, and the browser<br>
just opens it as it normally would - sometimes with a &quot;run&quot;, &quot;save&quot;,<br>
&quot;cancel&quot; dialog and sometimes not.<br>
<br>
Susceptible header injection vulnerabilities are frequently found in<br>
file download pages, but could be anywhere a web application uses<br>
untrusted input in a response header. This type of vulnerability can<br>
exist in virtually any web application environment, including Java, .NET<br>
and PHP.<br>
<br>
This research builds on previous work in header injection and malicious<br>
file execution, and adds the ability to make the attack come from<br>
trusted domains. Although file download injection attacks are sent<br>
through the vulnerable application on their way to the browser for<br>
execution, they go beyond cross site scripting (XSS) as any file type<br>
can be injected. The attack is also different from HTTP response<br>
splitting as no second response is generated. Instead, the content of<br>
the original response is replaced.<br>
<br>
The paper examines various aspects of the attack, including both stored<br>
and hidden variants and issues related to Content-Length. Some advanced<br>
techniques for bypassing naive defenses are discussed. Finally, the<br>
requirements for a strong defense are presented. Organizations are<br>
encouraged to find and eliminate header injection vulnerabilities based<br>
on the severity of this attack.<br>
<br>
Full details in the white paper here:<br>
<a href="http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf"; target="_blank">http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf</a><br>
<br>
--Jeff<br>
<br>
Jeff Williams<br>
Aspect Security<br>
<br>
<br></blockquote></div><br><br clear="all"><br>

------=_Part_15862_17872037.1207625897219--
References:
- [WEB SECURITY] Attack Technique: File Download Injection
  - From: Jeff Williams
Prev by Date: [WEB SECURITY] Re: [Webappsec] weak ssl ciphers
Next by Date: [WEB SECURITY] Re: [Owasp-webscarab] MITM proxies, Ontologies, and Enterprise Architecture
Previous by thread: [WEB SECURITY] Attack Technique: File Download Injection
Next by thread: RE: [WEB SECURITY] Attack Technique: File Download Injection
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site