1

What would the security implications be if JavaScript, in a browser, could perform a typical FileExists() operation with normal file paths (win and/or mac)? Something like Node's fs.existsSync(path) but from JavaScript running in a browser's sandbox. Assuming the logged in, browser running user's normal file permissions are respected. I understand this is an information leakage problem.

My question is: what are the concrete consequences of this leakage that a semi-technical product manager would understand? Examples would be helpful. The JavaScript could be from a secure or insecure site, nothing else special, just the ability to test for the (Boolean) existence of files (not directories) with an absolute path.

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
Mike
  • 113
  • 3
  • 1
    Consequences like "you could tell if a specific user was on a computer by checking `c:\users\alice\ntuser.dat`" or "you could check for an exploitable program if you knew of a unique file from it"? Or consequences like - what happens after that? – TessellatingHeckler Jan 27 '16 at 23:28
  • I'm looking for something that a semi-technical product manager would consider significant harm caused by this. 'check for an exploitable program' is a little too indirect. Playing devil's advocate: did a traffic light contribute to your car accident since you wouldn't have been in the right pace at the right time to get hit if it had been red/green instead? – Mike Jan 27 '16 at 23:42
  • My biggest thought here is making XXE attacks viable. You can check for a valid file name to target prior to serving malware with a XXE exploit. This would make my life easier as an attacker. – Steve Dodier-Lazaro Jan 28 '16 at 14:15
  • @Mike the thing is this is typically the kind of design flaw that simplifies and enables attacks, rather than constitute an attack of its own. Look at exploits like Shellshock, there were a lot of prior poor decisions that contributed to its massive exploitability, though they were not considered much of an issue by developers at the time. – Steve Dodier-Lazaro Jan 28 '16 at 14:17

3 Answers3

2

You could learn a lot of interesting information about the users system this way.
This information could be used to find the correct exploit for the user, or just be collected or used as part of a system fingerprint to identify users (Even with another used browser).

Detecting the OS would be extremely simple, but also the detection of used versions of static libraries should theoretically be possible.

Most services create pid files when they start. This could be used to check if specific services are running and try to attack them (Think of some web admin panel without csrf protection).

As @TessellatingHeckler mentioned: You could also try to "bruteforce" (more dictionary attack) usernames.

SleepProgger
  • 590
  • 3
  • 10
1

By simiplying checking for existance, actions with a lot of side effects could be triggered. For example, if you supply a UNC path, a Windows machine will have to connect to the server, which in the most trivial case can be turned into a DDoS attack. With more setup (and poor firewall), this can be used to steal NTLM password hash...

billc.cn
  • 3,852
  • 1
  • 16
  • 24
0

You could:

  • learn that specific apps are installed (meaning you can pretend to sell services related to said apps)
  • learn that specific versions of apps are installed (based on diffs between versions, now you know if an exploit exists for the user's system)
  • enumerate some hardware devices (does this or that file exist in /dev?, likewise hardware-specific exploits)
  • discover user names, possibly (checking subfolders in /home for instance)
  • identify existing files / folders to target in a XXE exploit when you serve malware to the user
  • profile users by checking what kinds of famous artists they have in their ~/Music or ~/Movies folders...
  • profile users by checking if, for common paths of P2P apps' downloads folders, they have any recent / popular torrents being downloaded. Then you can serve them customised, scarier ransomware (like the FBI virus)
  • find valid PIDs for currently running apps, though you might not be able to identify said apps

(examples based on UNIX because hey, I'm a UNIX person; roughly the same ought to apply with Windows)

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45