Download Protection Bypass using Automated File Extension Changing
Reported by
picklebo...@gmail.com,
Mar 22 2016
|
|||||||||
Issue descriptionThis template is ONLY for reporting Download Protection Bypass bugs within Chrome and is not for requesting a review of sites or binaries identified as malicious. VERSION Chrome Version: 49.0.2623.87, stable Operating System: Windows 10, 1511 REPRODUCTION CASE Please include a demonstration of the Download Protection / Safe Browsing bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. **Explanation in HTML file
,
Mar 22 2016
,
Mar 22 2016
Pasting from .zip ***************** README.txt: **In order to test the bug you must run the contents in a server (I used XAMPP, but any stack will do) and not locally opening the file in Chrome, otherwise it will not work! My code is in the /build folder that I used to make "Program.exe" and the website for the demonstration is in the /htdocs folder. From the index.html: The program "Content.exe" was still passed to the user through the program "Program.exe". This was done by taking the "Content.exe" and converting the ".exe" to a ".txt". Next, I created a batch file that would change the extension automatically when executed and then it would end up launching the malicious code. Then, I put it into a ".exe" using a program called "Advanced BAT to EXE converter v2.94" and packaged the batch program and the malware hidden as a .txt into a single .exe. All the user has to do is simply execute that program and that malicious code is already running and stored on the users' temp folder so it could lead to further damage. For testing I used a XAMPP stack on my computer and downloaded the two links below. The first one is the example malware taken from "https://testsafebrowsing.appspot.com/" and the second is another file (I will give my binaries that I used to make it) that ends up launching the same code.
,
Mar 22 2016
Thanks for the report! You're effectively wrapping an .exe in another one, which does not bypass safe browsing. This will still trigger a request to Safe Browsing to analyze your new .exe, so this is WAI and doesn't meet the VRP rules: https://www.google.com/about/appsecurity/chrome-rewards/ "The download should not send a Download Protection Ping back to Safe Browsing. Download Protection Pings can be measured by checking increments to counters at chrome://histograms/SBClientDownload.CheckDownloadStats. If a counter increments, a check was successfully sent (with exception to counter #7, which counts checks that were not sent)."
,
Mar 22 2016
Thanks for taking a look at my report! I'll try to see if I can catch any vulnerabilities and be able to fully bypass Safe Browsing to were it doesn't send a Download Protection Ping. By the way, what did you mean when you said "so this is WAI"?
,
Mar 23 2016
WAI = "Working As Intended"
,
Apr 6 2016
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, Mar 22 2016