New issue
Advanced search Search tips

Issue 590985 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: ----



Sign in to add a comment

Security: Download .exe file on any computer

Reported by pabster...@gmail.com, Mar 1 2016 

VULNERABILITY DETAILS
Download any .exe file on victim computer via data: and iframe:
<head>
</head>
<body>
    <iframe src='data:application/x-msdownload;base64,a2poYWxrc2hkbGtoYXNka2xoYXNsa2RoYWxraGtoYWxza2hka2xzamFoZGxramhhc2xka2hhc2xrZGgKYXNrZGpoa2FzZGpoYWtzaGRrYXNoZGtoYXNrZGhhc2tkaGthc2hka2Foc2RraGFrc2hka2FzaGRraGFzCmFza2pkaGFrc2hkbSxjbmtzamFoZGtoYXNrZGhhc2tka2hrYXNkCjg3MzQ2ODEyNzQ2OGtqc2hka2FoZHNrZGhraApha3NqZGthc2Roa3NkaGthc2hka2FzaGtkaAohISomXkAqJl4qYWhpZGFzeWRpeWlhc1xcb1wKa2Fqc2Roa2FzaGRrYXNoZGsKYWtzamRoc2tkaAplbmQK
'>
</body>
Should get blocked, but it doesn't, .exe gets downloaded.
VERSION
Chrome Version: Newest
Operating System: Macintosh

REPRODUCTION CASE
You could use this to get a .exe file on anybodies computer without their permission or their knowing, it could compromise the victims computer completely and could lead to complete host takeover.
HTML:
<head>
</head>
<body>
    <iframe src='data:application/x-msdownload;base64,a2poYWxrc2hkbGtoYXNka2xoYXNsa2RoYWxraGtoYWxza2hka2xzamFoZGxramhhc2xka2hhc2xrZGgKYXNrZGpoa2FzZGpoYWtzaGRrYXNoZGtoYXNrZGhhc2tkaGthc2hka2Foc2RraGFrc2hka2FzaGRraGFzCmFza2pkaGFrc2hkbSxjbmtzamFoZGtoYXNrZGhhc2tka2hrYXNkCjg3MzQ2ODEyNzQ2OGtqc2hka2FoZHNrZGhraApha3NqZGthc2Roa3NkaGthc2hka2FzaGtkaAohISomXkAqJl4qYWhpZGFzeWRpeWlhc1xcb1wKa2Fqc2Roa2FzaGRrYXNoZGsKYWtzamRoc2tkaAplbmQK
'>
</body>

Comment 1 by pabster...@gmail.com, Mar 1 2016 

Oops, sorry gotta close the iframe tag lol ;)

Comment 2 by jialiul@chromium.org, Mar 1 2016

Status: WontFix (was: Unconfirmed)
Thanks for reporting, pabstersac! 
On my mac with the latest chrome 48.0.2564.109, the download.exe is corrected caught by download protection. 
I will mark this bug as won'tfix for now since I cannot reproduce it. But feel free to reopen it if you can provide us test cases that do not trigger download warnings. 

Many thanks!
Project Member

Comment 3 by sheriffbot@chromium.org, Jun 8 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment