Tuesday, April 08, 2008

File Download Injection

Taken from this mailing list post.

  • From: "Jeff Williams"
  • Subject: [WEB SECURITY] Attack Technique: File Download Injection
  • Date: Mon, 7 Apr 2008 15:22:15 -0400

File Download Injection
=======================

Affects most web application platforms, including Java, .NET, PHP, Cold
Fusion.

This attack involves the use of header injection, particularly the
Content-Disposition header, to subvert HTTP responses from trusted
domains. Attackers can use this technique to inject a malicious file
download with an arbitrary filename (.html, .exe, .swf, .mov, .msi,
.vbs, etc...) and arbitrary file content. Since the attack subverts an
existing HTTP request, both the URL and the downloaded file use a
trusted domain.

Some variants of the attack are surprisingly simple:

http://yourcompany.com/download?fn=attack.bat%0d%0a%0d%0awordpad

When the response for this attack arrives at the victim's browser, the
malicious file is named "attack.bat" and contains the command "wordpad"
inside. The injected file is opened as if it was a legitimate download
from the trusted domain. The attacker can inject any filename (.exe,
.bat, .html, .pdf, .sh, etc...) with any file content, and the browser
just opens it as it normally would - sometimes with a "run", "save",
"cancel" dialog and sometimes not.

Susceptible header injection vulnerabilities are frequently found in
file download pages, but could be anywhere a web application uses
untrusted input in a response header. This type of vulnerability can
exist in virtually any web application environment, including Java, .NET
and PHP.

This research builds on previous work in header injection and malicious
file execution, and adds the ability to make the attack come from
trusted domains. Although file download injection attacks are sent
through the vulnerable application on their way to the browser for
execution, they go beyond cross site scripting (XSS) as any file type
can be injected. The attack is also different from HTTP response
splitting as no second response is generated. Instead, the content of
the original response is replaced.

The paper examines various aspects of the attack, including both stored
and hidden variants and issues related to Content-Length. Some advanced
techniques for bypassing naive defenses are discussed. Finally, the
requirements for a strong defense are presented. Organizations are
encouraged to find and eliminate header injection vulnerabilities based
on the severity of this attack.

Full details in the white paper here:
http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf

--Jeff

Jeff Williams
Aspect Security

No comments: