Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO)

Author: YoKo Kho | Posted in Bug Report, Mobile Apps, Write-Up No comments

The story while you download a file that looks “legitimate” with its extension, but it changes when you execute the file.

As a little note, we also add few simples bug hunting tips related this RTLO things at the end of article.

Download as .png (left one) and Download as .txt (right one)

In the name of Allah, the Most Gracious, the Most Merciful.

So let’s say, you download the .png file. but when you try to open the file, it will executed as a malicious .apk file. Well, this happened at least at Opera Mini and few applications that has a download feature

I. TL;DR

Change the filename to: malicious<RTLO_Char><fake_ext>.<real_ext>
For example: malicious%E2%80%AEtxt.apk
When the download feature of browser failed to parse the character perfectly, then the filename will be switch to maliciouskpa.txt

Illegal Rendered with RTLO Character at Opera Mini (for Android) Download Feature

II. Introduction

As we know, most of browser that has been developed will have a feature that could be used by its users to download any file. But somehow the problem exists when browser failed to parse the character that used as a filename that would like to be downloaded by users. In this case, we find out if some browser rendered the RTLO character perfectly and could be used by Attacker to switch the filename automatically.

2.1. Few Words about RTLO
To be honest, we can’t explain this very well in technical point of view or in the standard processing of the character. But, as we know commonly, the world of character is split into two models, which are left to right and right to left character. One of the famous right to left reading that we know at this world is Arabic Character.

Based on some references, there is a standard method that built to deal with the texts that are written from right-to-left. Basically, this allows computers to exchange information regardless of the language used.

So, in short, by using this method, the computers will recognize the character that has been put.

References: 
https://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/https://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/
https://blog.malwarebytes.com/cybercrime/2014/01/the-rtlo-method/


III. Testing Environment

For example, let use the Opera as a study case (since few programs asked for not release the full disclosure).

And here are the environment that we used to reproducing the issue:

  • Used Device: Asus Max Pro M1 (4/64GB)
  • Operating System: Android 9 (May 1st, 2019 Update)
  • Opera Mini Version for Android: 44.1.2254.142553 (built Aug 29th, 2019) – The version that we reported (since we got no response more than one month – lets assume if it not hit the security bar from their point of view – then we think it would be good for releasing the article).
    The latest version (Sept 19th, 2019 – 44.1.2254.143214) is also still vulnerable.

IV. Step to Reproduce

For example, an Attacker would like to “send” this scenario into the victim:

  • Attacker’s original file type is: .txt.
  • Attacker’s filename is: malicious
  • At this case, Attacker would like to manipulate the extension, so the victim will see the file as image format (which is .png extension). From this scenario, then the Attacker will give the filename with: malicious%E2%80%AEgnp.txt.
  • When this file is downloaded at vulnerable browser (in this case, Opera Mini), then the file will be saved as: malicioustxt.png at the victim’s device.
  • Even though the file was saved as .png format, but Android will still executed it as .txt (since the original format is .txt, not .png).
  • Of course, we could do with another one that more likely bad for the victim. Let’s say, the original one is .apk then we switch the extension with .txt or other extension.

Please kindly note, the %E2%80%AE character is unicode U+202E that used as RTL Override https://www.charbase.com/202e-unicode-right-to-left-override


V. PoC Video

For completing the explanation, we add the simple PoC Video that showing the situation:

  • There are 2 files that put at the GDrive, which is the .txt file (on the left) and the .apk (file) on the right;
  • At this case, we take the direct download link, when the user would like to download the file, then they will see the extension that has been manipulated with the RTLO character;
  • The 1st situation at the video, the user will download the .txt file but the file will be saved as png. When user would like to open the downloaded file, the file will be executed as .txt (the original format);
  • The 2nd situation at the video, user will download the .apk file, but the file will be saved as txt. Again, when user would like to open the downloaded file, the file will be executed as .apk and trying to install the program (the original format).

VI. Screenshot Details

At the screenshots below, we could see if the Opera Mini rendered the extension to .png for the real .txt file (the left one) and rendered the extension to .txt for the real .apk file (the right one).

Download as .png (left one) and Download as .txt (right one)

When we try to open the file with malicioustxt.png name (the left one from the picture above), then the Android will recognise it as .txt file (the original format).

Android recognise the File as .txt even though the name was .png

And for the file with OMkpa.txt name, then the Android will execute it as .apk format. We could see from the behaviour of Opera that would like to install a program.

Opera Mini trying to install the Software

VII. Reporting Timeline

Opera Mini Browser for Android:

  • Sept 10th 2019: Reach Opera via https://security.opera.com/report-security-issue/ (maybe its a mistakes to report via this one because you wont get any acknowledgment received. We suggest you to report via “Report a problem feature” at the in-app:
In-App “Report a Problem” Feature

Even though you still didn’t get any feedback, then at least you know if your email has reach them (because of their automation reply).

  • Sept 10th, 2019: Opera saw the PoC video few times.
  • Sept 23rd, 2019: Trying to reach them to ask about the situation and still didn’t get any information. (Maybe they really busy right now or it doesn’t hit the security bar from their point of view).
  • Note: Previously we was thought if the issue was fixed at the latest release version (Sept 19th, 2019). But when we tried to reproduce the issue again few days ago, then we found it still vulnerable. Have no idea why somehow it works and somehow not.
  • Oct 30th, 2019: Assigned as CVE-2019-18624.

As a simple note, we also reported this similar issue to one of our favorite bug bounty program at one of the well-known platform. And as always, they have respond and fix the issue very quick (with the nice reward) without the needs to ask the status. So far, they always response within 1 day and fixing within 5 days.

  • July 22nd, 2019: Reported via one of the well-known platform
  • July 24th, 2019: Apologize for the late response (since normally they only took 1 day, and this time took 2 days – Cool, isn’t?).

And they fixed the issue very fast (within few next days) and giving a nice bounty (as always).

At the other side, we also reported this one to other program and got a response within 9 days with nice points.


VIII. The Closing

Well, as the readers could see, there will be a good and the bad side (not much) in the bug hunting program. The only things that I (personally) could suggest, just try to make it a fun in bug hunting and don’t thinking too much for those program that didn’t give any feedback (even just say thanks, duplicate, or not giving much impact). There are much programs out there that could be reach that Inshaallah will appreciate your time and work.

At this write-up, I also would like to say thanks to Rafay BalochFrom one of his write-up at 2016 (Relates to Address Bar Spoofing at Google Chrome and Firefox for Android by using the combination of IP+RTL), I could know about this RTLO things.

Another credits:

As an additional information, if you would like to try to reproducing the issue, then here are the affected version of Opera Mini for Android:


IX. Bug Hunting Tips Related to RTLO things

From this very simple article, then we could conclude if this RTLO things could become a security issue at various feature (even not every program think so, but it’s worth to try). As far as we can think at this time are:

9.1. RTLO in filename via file upload feature
At this situation, we could test if the upload feature at an application is vulnerable to extension manipulation or not.
Also, when we talk about “Filename” and “Upload Feature”, it doesn’t limited to only a web app, because it also possible to be “used” to Messaging, Email, and other similar application that has an ability to upload.
Reference (HackerOne)https://hackerone.com/reports/298
Reference (Telegram): https://securelist.com/zero-day-vulnerability-in-telegram/83800/

9.2. RTLO in filename via cloud drive storage
Similar with the previous one, just try to upload the file that contain RTLO name to the cloud drive storage, then see what happened.
Reference (OX App Suite)https://hackerone.com/reports/210354

9.3. RTLO in chat feature
It also could be test at every application that has a chat feature inside (not just a native chat app). In its implementation, it could used to switching the extension or maybe create a fake URL, for example: https://evil.com/RTLO/moc.rettiwt. If vulnerable, somehow it will switch to twitter.com/moc.live//:sptth. (it happened at Facebook bug report chat).

In other case, it also just switch the things at the back to the front (just like the address bar spoofing via IP+RTL at Chrome and Firefox).
Reference (Snapchat)https://hackerone.com/reports/196222

9.4. RTLO in post feature
Apart from the chat feature, we also could test this at an application that has a post feature. In the GitLab’s case, the RTLO issue works in the description field. From here, we also can conclude if this RTLO issue could works in every application that has an ability to post something such as “website address” information, post a reply, and other.
Reference (GitLab)https://gitlab.com/gitlab-org/gitlab-foss/issues/29365

9.5. RTLO in “warning” redirect feature
This RTLO things also could be use to trying to spoof the domain name with the combination of normal latin (LTR) with RTLO character.
Reference (HackerOne)https://hackerone.com/reports/299403

9.6. RTLO in browser’s address bar
From one of Rafay’s write-up, we could see if he successfully spoof the domain name via the combination of IP Address and RTLO character. For example: https://evil_IP_Address/RTLO/google.com/login become google.com/login/RTLO/evil_IP_Address.
Reference (Google Chrome and Firefox for Android)https://www.rafaybaloch.com/2017/06/google-chrome-firefox-address-bar.html

9.7. RTLO in browser’s download feature
The example about this one has been explained at this simple write-up. Just as a note, for “browser” things, it doesn’t limited to only the native browser’s download feature. But also at the in-App browser (for example, the one that exist at messaging app) and also few Password Manager Apps (which is, mostly they also have in-App browser).
Reference (Opera Mini for Android): this article or http://firstsight.me/2019/10/illegal-rendered-at-download-feature-in-several-apps-including-opera-mini-that-lead-to-extension-manipulation-with-rtlo/

Add Your Comment