Exploitation of file’s download parameters to create potential risk of malware delivery: $200 bug!
I am Muhammad Aamir, a cybersecurity professional from Pakistan. Here I share with you a vulnerability caught for exploitation of file’s download parameters to create potential risk of malware delivery. The program is on Bugcrowd and I was rewarded with $200 for this finding. I reported it in the month of October 2021.
The program has a subdomain in scope which is used for managing the network formed by their commercial devices. The owner can register on the domain as administrator and also add other users with roles of administrators & employees in the domain for managing the network. A number of functionalities exist to manage network & devices such as inventory management, billing management, and user management etc.
I found a download option on one of the domain pages that offers download of the list of invoices in .xlsx (Excel sheet) format. On viewing the request format in Burp proxy, I found that it is a POST request with major parameters of csrf_token, filename, and data.
After some testing, I found that all three major parameters were vulnerable in the following sense:
- csrf_token: The request is vulnerable to CSRF attack. I could remove the token and still the file was downloadable.
- filename: The request is vulnerable to extension filter bypass. I could inject an extension that I control to change the nature of file. This was a major attack vector as I could convert the file into executable (.exe for Windows targets and .sh for Linux targets).
- data: The request is vulnerable to file data overwrite. I could change the data and when downloaded, the file contained data that I injected as attacker.
By chaining the above factors, I could insert malware by controlling the ‘data’ parameter, convert the file into executable with ‘filename’ parameter, and finally deliver the file to victim by taking advantage of CSRF vulnerability.
A trick was required for extension filter bypass and convert the file into executable because the application was only allowing the filenames with .csv extension. To bypass this, I used the filename “invoices.sh%22.csv” (double quotes were required after .sh to close the filename before .csv so I used %22 due to encoding in the value of ‘filename’ parameter). For PoC, I simulated a Linux victim and get the file downloaded with ‘data’ value of #!/bin/bash%0a#PoC%20script%0atouch%20File.Attack. Hence, a bash script was downloaded on the victim’s device with .sh extension. When it was executed, a file called File.Attack was created as a result of my PoC script.
The program accepted this finding and rewarded me within a week after Triage.
I hope you’ve enjoyed reading it :) Thank you. Please follow me on Twitter and join me on LinkedIn for more information, discussion and both-way sharing of tips etc. I am a keen learner myself and I believe that sharing of knowledge must exist on both sides (give knowledge and get knowledge) to enhance the skills in any field.
Stay Safe Everyone!