Trello Reflected Filename Download

WS201502 – Trello Reflected Filename Download
by David Sopas @dsopas
www.websegura.net

Description

Trello is a free web-based project management application originally made by Fog Creek Software in 2011, that spun out to be its own company in 2014.
It operates a freemium business model, as well as being cross-subsidized by other Fog Creek Software products. A basic service is provided free of charge, though a Business Class paid-for service was launched in 2013.
In July 2012, the site surpassed 500,000 users. They then claimed December 2012, it had surpassed 1,000,000 and in May 7, 2014 claimed the number to be four million.
On September 18, 2014 Trello reached over five million users.

I found that a RFD (Reflected Filename Download) glitch is present on Trello domain allowing an attacker to deliver a malicious file to a victim.
Due to the lack of reflecting something on the URL of the JSON data, I used the “Bio” profile field to inject the command:

“||calc||

This will be the command that will execute on the victims operating system [in this case – Windows]. In this proof-of-concept I used calc.
Also to give more credibility I also changed my username URL so it can be similar to update.bat.

Proof-of-concept

Version 1.0 – Requires a little of social engineering

Step one: Ask the victim [authenticated on Trello.com] to visit:

https://trello.com/1/members/updatebat

trello1

Step two: Use social engineering to tell the victim that the link is to update something or give Gold account for free. Tell him to save the page and just put a “.” on update.bat.
After running the little batch file, the result is serving a executable file with instructions to deploy the default Calculator application included in Windows operating system. This might be a acceptable risk for Trello but still a security risk.

trello4

Version 2.0 – HTML5 style

This way is more dangerous because is not required much user interaction.
A malicious user can use HTML5 download attribute to force a user to download the batch file.

<a href="https://trello.com/1/members/updatebat" download="update.bat">Download Trello Gold!</a>

onclick=”return false;”

trello_html5_1

The above JS code is just for disabling the victim to download by clicking on the link and use “Save link as”.

Keep in mind that this is a persistent RFD because the reflected part is stored in Trello database using the “bio” field.

trello_html5_2

To the user the entire process looks like a file is offered for download from Trello original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.

I would like to thank Oren Hafif for the inspiration.

Timeline

26 Feb.15 – Submited to HackerOne
26 Feb.15 – Trello replied that this vulnerability is out of scope and that reports that rely on social engineering of Trello users and reports that rely on an unlikely user interaction are not in scope
04 Mar.15 – Full disclosure

Achaste interessante? Partilha!