Malicious File Downloads via detecting header differences between the <embed> Tag and "save video" context menu item
Categories
(Firefox :: Menus, defect, P3)
Tracking
()
People
(Reporter: stanlyoncm, Unassigned)
References
Details
(Keywords: privacy, sec-low)
Attachments
(1 file)
1001.48 KB,
application/x-zip-compressed
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Steps to reproduce:
Title
Malicious File Downloads via the <embed> Tag in HTML.
Description
A vulnerability has been detected in video playback and downloading using the HTML <embed>
tag. When this tag is used to embed a video or opened in a new tab, a network request is generated that includes the Upgrade-Insecure-Requests
and Referer
headers with different values in both requests. However, it's interesting to note that when choosing the Save Video As...
option in the browser's context menu, the network request is made without including these headers.
This allows an attacker to manipulate the context of the video download request to send different responses, potentially causing the victim to view the video normally but download a malicious file instead of the expected video when choosing to download it.
Please watch the proof of concept video (poc.mp4) that illustrates how a victim who is viewing a video normally can download malware by opting to use the browser's context menu for downloading.
Recommended Solution
It is recommended to modify the behavior of the video download request to include the same headers that are sent when the video is embedded via a tag or opened in a new tab. This will help mitigate the risk of an attacker exploiting this difference to send malicious files.
Steps to Reproduce
- Set up the Ruby interpreter on your system and install the Sinatra gem.
- Download the attached file named
files.zip
. - Choose a directory on your system and proceed to unzip the contents of
files.zip
into it. - Go to the directory where you unzipped the files and move a binary file to the
./videos
folder, renaming it asmovie.exe
. - In a terminal emulator, start the server and listen for connections by running the following command:
ruby server.rb localhost 80
. - Now, go to the address
http://localhost
in your web browser. - Download the video via the web browser's context menu and observe how the binary or malicious file is obtained.
Impact
An attacker could exploit this vulnerability to manipulate the context of the video download request, potentially allowing the victim to download a malicious file, such as malware, instead of the legitimate video when choosing to download. This malicious action could jeopardize the security and integrity of the victim's systems, as the user expects to download a harmless video file but could receive a file designed to harm or compromise their device.
Comment 1•8 months ago
|
||
Is this different in an <embed> than an <iframe>? I'd expect them to behave the same. I suspect that when we request the embed source we don't know what the file is going to be so we send "document" request headers, and when you use the menu item we know it's a video so we send "video" specific headers. But why no Referer:
? everything should have a reasonable referrer.
Even if we got that right somehow, a malicious site could simply send something different the second time it's requested and hope for the best that it wasn't a re-load of the page. Not sure how other browsers would avoid this given how things are specified.
This would be a very low-payoff approach to giving someone a malicious file.
Updated•8 months ago
|
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Updated•8 months ago
|
Updated•1 month ago
|
Description
•