XSS in Oculus Rifts CDN

After looking through Oculus Rifts site I came across the developer section for making apps. I quickly made a test app and poked around for vulnerability's until I found a function to upload icons in the assests tab. The limitations for the upload was that it needed to be 512x512 in size and it also had to be a png file. After some googling I found a picture that fit the requirements and uploaded the picture capturing the post request made. The endpoint verified whether it was not a png by looking at the IHDR data chunks in the file uploaded but didn’t verify that the extension was actually .png, so you could change the filename extension to .html, forward the request, and in the response you would have the link to your png file uploaded to the content delivery network with an extension of .html. To actually get any java script to run all you had to do was append it to the end of the file and it would be interpreted.

Proof of Concept

1) Go to https://dashboard.oculus.com/ and login

2) Create a new app or use an existing app

3) Navigate to the apps Assets

4) Go to upload a new Icon (Any random image of size 512x512 will work)

5) Intercept the http request to graph.oculus.com/upload_image/

6) Find the filename paramater for the Content-Disposition and change it from .png to .html

7) Append any javascript/malicious code you want to the end of the data stream

8) Send the request through

9) In the response it should spit out some json data with the uri of the file in it

10) Browse to the URI and the code will be executed

Video

Timeline

Submitted- October 27th, 2017

Triaged- October 30th, 2017

Fixed- December 6th, 2017

Bounty Awarded($1500)- December 6th, 2017