AOL Search Vulnerable to Reflected File Download Attacks

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
The website for AOL Search can be used in what is called a reflected file download (RFD) attack by a threat actor, to trick an unsuspecting user into downloading a malicious file on the computer, a security researcher has found.

The vulnerability uncovered on AOL’s domain has been presented by Oren Hafif, of Trustwave security company, at the 2014 edition of the Black Hat Europe security conference in Amsterdam.
Reflected file download attack
It consists in sending the victim a maliciously crafted link to an executable file (CMD, BAT) that appears to be hosted on a trusted domain. However, the file is not available from the trusted domain and its content, which is made of commands or script files, is actually included in the link itself.

When the link is accessed, the response from the web browser is a download for a file that is in fact created on-the-fly with the information in the URL.

The attack does not work on Google Chrome because the developer implemented a fix for the vulnerability, as pointed out by Hafif in a blog post at the end of October 2014.
Proof-of-concept shows the flaw on AOL's domain
Ricardo Iramar dos Santos, a security engineer from HP, found that the RFD glitch is present on AOL’s domain, allowing an attacker to deliver a malicious file to a victim.

He provided the following proof-of-concept that demonstrates the flaw in Internet Explorer and Mozilla Firefox:

Code:
 http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar";||calc||&it=ws-landing&dict=en_us_search&count=8&output=json

The result is serving a batch file with instructions to deploy the default Calculator application included in Windows operating system.

He explains that in the search for 'iramar "||calc||' on AOL, the browser encodes the double quotes, but the server escapes them and returns the JavaScript Object Notation (JSON) in the body response. “Since the response has the header "Content-Type: application/x-suggestions+json;charset=UTF-8" the browser will automatically try to download the reflected file,” dos Santos says.

To the user, the entire process it looks like a file is offered for download from autocomplete.search.aol.com and it would not raise any suspicions. With some social engineering, an attacker gain complete control over a victim’s computer system by fooling them into downloading and launching malicious files that appear to originate from a trusted party.
 

kiric96

Level 19
Verified
Well-known
Jul 10, 2014
917
o_O what kind of sorcery is this???

is it possible to creat a vbs worm using this method? or what kind of threat can an attacker make?
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top