Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users
Status: Duplicate
Merged: issue 259669
Owner: ----
Closed: Jun 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug

Blocking:
issue 68208



Sign in to add a comment
Drag-and-Drop and File Extension Bugs Enable Chrome to Drop Malicious File
Reported by asusz...@yahoo.com, Feb 24 2013 Back to list
VERSION
Chrome Version: 24.0.1312.57
Operating System: Windows 7

Summary

Google Chrome drag-and-drop events allow to copy files from rendered DHTML page to local and to network paths. Another issue allows to set arbitrary extension for the destination file. These issues together could lead to plant malicious files on the user's computer.

A remote attacker may trick a user to visit a specially crafted web page; and to select an object from it, and to drop the content onto the user's computer (e.g. on the desktop).

When the user is tricked to download malware by exploiting the drag-and-drop issue, Chrome downloads the malware without performing security scan on it, bypassing the functionality designed to analyze executable files when downloading.


Example Attack Vectors

Below are three example attack vectors.

1) Dropping a rar file containing executable file on Windows desktop

- Download PoC TODO link from SkyDrive.

- Open index.html via http:// (file:// won't work). index.html displays the gif file that is index.gif.rar.rar. The gif file has a rar file attached at offset 0x9b1.

- When the browser displays the image, drag and drop it on the Desktop. The file will be copied as index.gif.rar.

- Open index.gif.rar with WinRar, or with 7-Zip, and extract the content of it. It contains a txt file but I could have put an executable in it.


2) Dropping an executable file on Windows desktop

TODO Requires bug in the renderer process to overwrite the memory where the GIF is loaded with malicious code - demonstrate it in Windbg.

3) Dropping shortcut on Windows desktop

TODO


 
DragAndDrop-PoC.zip
2.7 KB Download
Comment 1 by asusz...@yahoo.com, Feb 24 2013
25.0.1364.97 affected, too.
Comment 2 by palmer@chromium.org, Feb 26 2013
Cc: a...@chromium.org rdsmith@chromium.org benjhayden@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-3 Area-UI OS-All Feature-Downloads Feature-Security SecImpacts-Stable SecImpacts-Beta SecSeverity-None
Status: Available
I agree that dragging and dropping files should invoke the dangerous file extension checking code.

See bug https://code.google.com/p/chromium/issues/detail?id=166366, which may be/is related. This bug might even be a duplicate of that one.
Comment 3 by asusz...@yahoo.com, Mar 1 2013
Here is one more abuse case. It allows to drop a jpeg file that has bat extension. The jpeg file is altered. When the user double clicks on the dropped file cmd.exe is executed.

The zip also contains the original jpeg file so you can make a diff against the altered one.
DragDropExecuteImage.zip
15.0 KB Download
Cc: jef...@apple.com
Labels: -Type-Security -SecImpacts-Stable -SecImpacts-Beta Type-Bug
Fixing flags.
Project Member Comment 6 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-UI -Feature-Downloads -Feature-Security -SecSeverity-None Cr-Security Cr-UI Security-Severity-None Cr-UI-Browser-Downloads
Comment 7 by cdn@chromium.org, Mar 21 2013
Labels: -Security-Severity-None Security_Severity-None
Bulk edit
Cc: -rdsmith@chromium.org
Blocking: chromium:68208
Labels: -Restrict-View-SecurityTeam
Comment 11 by palmer@google.com, Nov 14 2013
Cc: asanka@chromium.org palmer@chromium.org rdsmith@chromium.org f...@chromium.org
Cc: dcheng@chromium.org
Cc: ddkil...@apple.com
Comment 14 by noel@chromium.org, Jun 23 2015
Status: WontFix
#3 maybe try you PoC and see that is proof of nothing. A .jpg is dropped on the desktop and it is a JPEG image, not a bat file.

#0 again a .rar that you try to drop on the desktop as a gif.  Well try it, and .gif image is in fact dropped and view in an image viewer.

WontFix (no reproduction), drag drop images in chrome do not allow third parties to set file extension.
Comment 15 by noel@chromium.org, Jun 23 2015
Mergedinto: 259669
Status: Duplicate
Sign in to add a comment