Full Report
A few days ago, during one of those nights with the baby crying at 2:00 am and the only thing you can do is to read emails, I realised that Gmail shows the content of compressed files when reading them in Google Docs. As often is the case at SensePost, the “think evil ™” came to me and I started to ponder the possibilities of injecting HTML inside the file listing. The idea is actually rather simple. Looking at the file format of a .zip file we see the following:
Analysis Summary
# Vulnerability: Stored Cross-Site Scripting (XSS) in Google Docs ZIP File Previews
## CVE Details
- CVE ID: Not explicitly provided in the article. The disclosure occurred around March 2013.
- CVSS Score: Not provided in the article. (Likely Medium to High given the XSS impact).
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
## Affected Systems
- Products: Google Docs viewer (handling ZIP file previews).
- Versions: Versions active around March 2013 that utilized this ZIP parsing mechanism.
- Configurations: Specific configuration required for a user to upload a specially crafted ZIP file and share the preview link with a victim. The vulnerability existed when viewing the file listing/metadata within the Google Docs preview interface hosted on `googleusercontent.com`.
## Vulnerability Description
The vulnerability stems from how Google Docs processes and displays metadata from uploaded ZIP archives when viewed within the Google Docs viewer interface. The ZIP file format contains file metadata (including the filename) in two primary locations: the `ZipFileRecord` and the `ZipDirEntry`.
The flaw occurred because Google Docs used one metadata source (likely the `ZipFileRecord`) to display the filename initially, sanitizing any HTML entities. However, when the system displayed the file listing in a "non-formatted" view (possibly after an initial failure to render content), it utilized the metadata from the second source (`ZipDirEntry`), which was **not adequately sanitized**. An attacker could craft a ZIP file where the filename in the `ZipDirEntry` contained a malicious HTML payload, leading to Stored XSS when the victim viewed the file metadata preview.
## Exploitation
- Status: Proof-of-Concept (PoC) available (developed by the researcher).
- Complexity: Low (Requires creation and upload of a specially crafted ZIP file).
- Attack Vector: Upload/Stored (The payload is stored on Google's servers upon upload, and executed when a victim views the file preview).
## Impact
- Confidentiality: High (Session hijacking via cookie theft, redirection to phishing sites).
- Integrity: High (Ability to execute arbitrary JavaScript in the context of the Google domain, potentially manipulating the view or session).
- Availability: Low (The primary impact is on user sessions, less so on service availability).
## Remediation
### Patches
- Patches implemented by Google following the disclosure in March 2013. The specific patch details or version numbers were not mentioned, as the researcher noted the issue was mitigated by Google.
### Workarounds
- Users should exercise caution when uploading archives from untrusted sources.
- Note: The vulnerability was contained within the `googleusercontent.com` domain, which Google deemed a "sandbox" and therefore not eligible for a bounty, suggesting the immediate risk to the main Google domain was mitigated or considered low by Google's internal policy at the time.
## Detection
- Indicators of Compromise: Unusual redirection behavior or pop-ups initiated while previewing shared Google Docs files, particularly those containing archived content.
- Detection methods and tools: Standard Web Application Firewalls (WAFs) configured to inspect metadata extraction processes for anomalies or injected HTML tags within file metadata fields would be effective once the sanitization gap is identified.
## References
- Vendor Advisories: None explicitly linked by the researcher, only communication mentioned.
- Relevant links:
- sensepost com/blog/google-docs-xss-no-bounty-today (Defanged for safety)
- beefproject com (Mentioned as a potential tool leveraging the XSS)