New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 596298 link

Starred by 6 users
Status: Available
Owner: ----
Cc:
ya...@nightwatchcybersecurity.com
mtomasz@chromium.org
fukino@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

Security: RAR archive parsing issue in Guest mode on ChromeOS

Reported by resea...@nightwatchcybersecurity.com, Mar 20 2016 
(Split off from #595558 as requested)

VULNERABILITY DETAILS
Because of bug # 579035, we observed that double clicking on a file inside the RAR file does not properly encode the name of the file when opening in Chrome, specifically in the address bar. We are attaching a test RAR file and a screenshot. 

VERSION
Chrome Version: 49.0.2623.95 (Official Build) (64-bit)
Operating System: ChromeOS 7834.60.0 (= Official Build) stable-channel parrot

REPRODUCTION CASE
Open the RAR file to mount it. Double click the non-English PDF file inside and observe the name un-encoded in Chrome. File originally came from:
http://www.mesherasrub.ru/Kak_postroit_selskii_dom.rar
Kak_postroit_selskii_dom.rar
3.7 MB Download
Screenshot
32.1 KB View Download

Comment 1 by mea...@chromium.org, Mar 21 2016

Components: Platform>Apps>FileManager
Labels: OS-Chrome
Owner: mtomasz@chromium.org
Status: Assigned (was: Unconfirmed)
Reattaching the screenshot as a png. This seems to be a problem in rar handling rather than the omnibox. I'm not sure what damage an attacker can do here, other than confusing the user though, so I'm planning to drop the security labels.

mtomasz: Can you please take a look?
Screenshot.png
32.1 KB View Download

Comment 2 by mtomasz@chromium.org, Mar 22 2016 

I took a quick look at this file and the file format looks broken. How did you create the archive? Could you provide exact steps? Thanks.

Comment 4 by wfh@chromium.org, Mar 25 2016 

I'm not sure this is a security bug, rather than just a functional bug in the rar extractor.

research@ can you describe how an attacker might use this vulnerability to do anything malicious to users other than show an invalid filename?
Project Member

Comment 5 by ClusterFuzz, Mar 27 2016

Labels: Missing_Impact-2 Missing_Severity-2

Comment 6 by wfh@chromium.org, Mar 27 2016

Labels: -Type-Bug-Security -Missing_Impact-2 -Restrict-View-SecurityTeam -Missing_Severity-2 Type-Bug
flipping to a functional bug

Comment 7 by infe...@chromium.org, Mar 9 2017

Cc: ya...@nightwatchcybersecurity.com

Comment 8 by mtomasz@chromium.org, Dec 8 2017

Labels: from-mtomasz

Comment 9 by mtomasz@chromium.org, Dec 8 2017

Cc: mtomasz@chromium.org
Owner: fukino@chromium.org

Comment 10 by weifangsun@chromium.org, Feb 2 2018

Cc: fukino@chromium.org
Labels: M-66 Pri-3
Owner: yamaguchi@chromium.org
yamaguchi@ - With the updates you are making for zip, is this still an issue?

Comment 11 by yamaguchi@chromium.org, Feb 3 2018 

The update for Zip Archiver does not affect handling of .rar files. Therefore this will be still an issue.

Comment 12 by fukino@chromium.org, Feb 6 2018 

 Issue 579035  has been merged into this issue.

Comment 13 by sashab@chromium.org, Feb 16 2018

Labels: CrOS-FilesApp-Zip
<files-triage>

Comment 14 by sashab@chromium.org, Feb 28 2018

Labels: -CrOS-FilesApp-Zip CrOSFilesFeature-Zip

Comment 15 by yamaguchi@chromium.org, Mar 9 2018

Labels: -M-66 -CrOSFilesFeature-Zip M-67
Owner: ----
Status: Available (was: Assigned)

Comment 16 by yamaguchi@chromium.org, Mar 9 2018

Labels: CrOSFilesFeature-Zip
This is not on zip files, but labeled as CrOSFilesFeature-Zip as it's related to features for archive files.
Punted to M-67 due to Pri-3.

Comment 17 by weifangsun@chromium.org, Mar 28 2018

Labels: -M-67

Sign in to add a comment