New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue: Cross Site Content Hijacking #318

Closed
LukasReschke opened this Issue Aug 9, 2016 · 6 comments

Comments

Projects
None yet
3 participants
@LukasReschke
Copy link

LukasReschke commented Aug 9, 2016

Description:

Since the response headers when downloading files are not set to secure values an attacker can perform Cross Site Content Hijacking to extract arbitrary data from a Cryptomator installation. Some more information including a demo on that can be found at https://github.com/nccgroup/CrossSiteContentHijacking

This attack requires that an attacker can upload arbitrary files on their own. Due to the vulnerability pointed out in #319, this is however possible. An attacker basically would just have to upload such a file using CSRF and then can start extracting data.

Performing a PROPFIND to extract the file list is left as exercise to the reader 😉 – I won't share completely weaponized exploits here.

Recommendation:

Serve all files with a harmless Content-Disposition of for example application/octet-streamand add the nosniff header.


Disclaimer: Normally, I wouldn't report security issues like that in the public. But I was asked by the Cryptomator authors on Twitter to do so.

@overheadhunter

This comment has been minimized.

Copy link
Member

overheadhunter commented Aug 9, 2016

Thanks for sharing this exploit! Concerning a possible fix: Are all operating systems able to mount http://user:pw@localhost:12345/foo? If this is the case, we could generate random credentials for each unlock attempt.
Any thoughts on this?

@LukasReschke

This comment has been minimized.

Copy link

LukasReschke commented Aug 9, 2016

Would certainly mitigate the problem best, but I'm wondering what's the UX impact on this. I guess having the credentials static for each mount would be "good enough" and doesn't require one to re-setup the mount all the time.

@LukasReschke

This comment has been minimized.

Copy link

LukasReschke commented Aug 9, 2016

Looking at http://mail-archives.apache.org/mod_mbox/jackrabbit-commits/201510.mbox/%3C20151021123021.6383C3A0337@svn01-us-west.apache.org%3E, #319 seems to be caused by an upstream security issue. Their security patch for https://issues.apache.org/jira/browse/JCR-3909 seems incomplete. I will also reach out to them.

@overheadhunter

This comment has been minimized.

Copy link
Member

overheadhunter commented Aug 9, 2016

Assuming the user uses an up-to-date browser when visiting the attacker's website, wouldn't the same origin policy stop such XHRs?
Edit: I mean PROPFIND requests, I am aware this doesn't apply to POST requests sent by forms.

@LukasReschke

This comment has been minimized.

Copy link

LukasReschke commented Aug 9, 2016

Assuming the user uses an up-to-date browser when visiting the attacker's website, wouldn't the same origin policy stop such XHRs?

Unfortunately not. Adobe software has a very special interpretation of Same-Origin. 😉

Basically what happens here is:

  1. Using #319, the attacker uploads a malicious SWF file
  2. The SWF file is then embedded on another page and communicates using some JS callbacks.

You can easily test this by uploading http://0me.me/ContentHijacking/objects/ContentHijacking.swf to one of your vaults. Then configure it as object file on http://15.rs/ContentHijacking/ContentHijackingLoader.html. As target page use for example a text file in the same vault.

@overheadhunter

This comment has been minimized.

Copy link
Member

overheadhunter commented Aug 9, 2016

Ok got it. Damn flash..

overheadhunter added a commit that referenced this issue Aug 9, 2016

@overheadhunter overheadhunter added this to the 1.1.4 milestone Aug 9, 2016

overheadhunter added a commit that referenced this issue Aug 14, 2016

Merge branch 'release/1.1.4'
Fixes #308, fixes #319, fixes #318, fixes #317, fixes #311, fixes #267

# Conflicts:
#	main/ant-kit/pom.xml
#	main/commons-test/pom.xml
#	main/commons/pom.xml
#	main/filesystem-api/pom.xml
#	main/filesystem-charsets/pom.xml
#	main/filesystem-crypto-integration-tests/pom.xml
#	main/filesystem-crypto/pom.xml
#	main/filesystem-inmemory/pom.xml
#	main/filesystem-invariants-tests/pom.xml
#	main/filesystem-nameshortening/pom.xml
#	main/filesystem-nio/pom.xml
#	main/filesystem-stats/pom.xml
#	main/frontend-api/pom.xml
#	main/frontend-webdav/pom.xml
#	main/jacoco-report/pom.xml
#	main/pom.xml
#	main/uber-jar/pom.xml
#	main/ui/pom.xml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment