ZIP file scanning on Mac does not work as expected |
|||||||||||||
Issue descriptionThe function safe_browsing::zip_analyzer::AnalyzeZipFile uses the BinaryFeatureExtractor to retrieve information about binary files contained within the archive. However it uses file extensions (specifically download_protetion_util::IsSupportedBinaryFile) to identify whether a file is interesting enough to analyze using the BinaryFeatureExtractor. Using file extensions on OS X is generally quite error prone (c.f. issue 596354 ) because the system doesn't exclusively use them to identify file openers. One particular place where this is problematic is with how AnalyzeZipFile calls AnalyzeContainedFile: https://code.google.com/p/chromium/codesearch#chromium/src/chrome/common/safe_browsing/zip_analyzer.cc&sq=package:chromium&type=cs&l=122. On OS X, it uses the ".app" extension to identify files for scanning. But .app's are not actual files--they're directories. The binary file worth analyzing is actually nested within the structure, and it has no extension to identify it: GoatTeleporter.app/Contents/MacOS/GoatTeleporter And this .app bundle can have additional executables elsewhere within it structure, e.g.: GoatTeleporter.app/Contents/XPCServices/TeleporterBridge.xpc/Contents/MacOS/TeleporterBridge GoatTeleporter.app/Contents/Resources/beam_me_up ... etc Compare this to how the DMG analyzer looks for files to analyze, via reading the first u32 of the file to check the file's magic: https://code.google.com/p/chromium/codesearch#chromium/src/chrome/utility/safe_browsing/mac/dmg_analyzer.cc&l=132. This is also not error-free (c.f. issue 591194 ) but it is definitely more reliable than using the file extensions. Currently, no .app files in .zip files are analyzed properly.
,
Apr 4 2016
Thanks for confirming labels Varun.
,
Apr 5 2016
,
May 6 2016
,
Jun 8 2016
,
Jun 10 2016
Not a low severity vulnerability, this is a safebrowing issue.
,
Jun 23 2016
Robert -- Is this something you could take a swing at? If it's a matter of using the same first-u32-checking logic that the DMG analyzer uses, that should be straightforward. But now I'm wondering, should we be trusting extensions on Mac at all? Should we instead be looking at contents? I've experimented just a bit and found that PNGs can be downloaded and opened without any extension, so it seems Mac is doing some content-sniffing.
,
Jun 23 2016
No, I won't have time to do this for at least a few quarters. To identify Mach-O files you do just need to check the file's u32 magic (mostly, though note the issue I mentioned with that above). As I alluded to in https://crbug.com/600613#c5 , Mac doesn't just use file extensions, so they are not a reliable indicator of the filetype.
,
Jan 27 2017
,
May 31 2017
,
Jun 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/177cde5a7f2d95de6601f01e9bee8fdedf13a96b commit 177cde5a7f2d95de6601f01e9bee8fdedf13a96b Author: mortonm <mortonm@google.com> Date: Mon Jun 26 23:41:34 2017 Rather than simply relying on file extension (e.g. .DMG) to determine whether to extract DMG features from download, instead look at file metadata to check for existence of 'koly' signature which identifies Mac archive types. BUG= 600392 >Review-Url: https://codereview.chromium.org/2926473002 >Cr-Commit-Position: refs/heads/master@{#480631} >Committed: >https://chromium.googlesource.com/chromium/src/+/6602ea616cce79869b300ffa82c3fc64fe422200 Review-Url: https://codereview.chromium.org/2926473002 Cr-Commit-Position: refs/heads/master@{#482463} [modify] https://crrev.com/177cde5a7f2d95de6601f01e9bee8fdedf13a96b/chrome/browser/safe_browsing/BUILD.gn [add] https://crrev.com/177cde5a7f2d95de6601f01e9bee8fdedf13a96b/chrome/browser/safe_browsing/disk_image_type_sniffer_mac.cc [add] https://crrev.com/177cde5a7f2d95de6601f01e9bee8fdedf13a96b/chrome/browser/safe_browsing/disk_image_type_sniffer_mac.h [add] https://crrev.com/177cde5a7f2d95de6601f01e9bee8fdedf13a96b/chrome/browser/safe_browsing/disk_image_type_sniffer_mac_unittest.cc [modify] https://crrev.com/177cde5a7f2d95de6601f01e9bee8fdedf13a96b/chrome/browser/safe_browsing/download_protection_service.cc [modify] https://crrev.com/177cde5a7f2d95de6601f01e9bee8fdedf13a96b/chrome/browser/safe_browsing/download_protection_service_unittest.cc [modify] https://crrev.com/177cde5a7f2d95de6601f01e9bee8fdedf13a96b/chrome/test/BUILD.gn [modify] https://crrev.com/177cde5a7f2d95de6601f01e9bee8fdedf13a96b/chrome/test/data/safe_browsing/dmg/generate_test_data.sh [modify] https://crrev.com/177cde5a7f2d95de6601f01e9bee8fdedf13a96b/tools/metrics/histograms/histograms.xml
,
Jun 28 2017
,
Jun 28 2017
Oops, closed by accident. Reopen this issue and assign to mortonm@
,
Aug 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/034ecb569929e1202f39cf744a32e8deeade06c8 commit 034ecb569929e1202f39cf744a32e8deeade06c8 Author: mortonm <mortonm@google.com> Date: Fri Aug 04 14:57:41 2017 Improve Zip File Scanning on Mac This CL fixes two aspects of broken ZIP processing on Mac. First, it ensures that .app files are treated as directories and as such do not break binary feature extraction, causing analysis to fail. Second, it performs type-sniffing to identify the existence of executable MachO files that do not have any file extension, as is the usual case on Mac. BUG= 600392 Review-Url: https://codereview.chromium.org/2961373002 Cr-Commit-Position: refs/heads/master@{#492032} [modify] https://crrev.com/034ecb569929e1202f39cf744a32e8deeade06c8/chrome/browser/safe_browsing/sandboxed_zip_analyzer_unittest.cc [modify] https://crrev.com/034ecb569929e1202f39cf744a32e8deeade06c8/chrome/common/safe_browsing/zip_analyzer.cc [modify] https://crrev.com/034ecb569929e1202f39cf744a32e8deeade06c8/chrome/test/data/safe_browsing/mach_o/Makefile [add] https://crrev.com/034ecb569929e1202f39cf744a32e8deeade06c8/chrome/test/data/safe_browsing/mach_o/zipped-app-two-executables-one-signed.zip [modify] https://crrev.com/034ecb569929e1202f39cf744a32e8deeade06c8/third_party/zlib/google/zip_reader.cc [modify] https://crrev.com/034ecb569929e1202f39cf744a32e8deeade06c8/third_party/zlib/google/zip_reader.h [modify] https://crrev.com/034ecb569929e1202f39cf744a32e8deeade06c8/third_party/zlib/google/zip_reader_unittest.cc
,
Aug 7 2017
,
Aug 8 2017
,
Aug 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0b415f14a94fd3e4c8ff5cad64779ecd3d2335cc commit 0b415f14a94fd3e4c8ff5cad64779ecd3d2335cc Author: Micah Morton <mortonm@google.com> Date: Tue Aug 08 18:26:46 2017 Record UMA stat for whether Zip downloads on Mac contain .app. .app directories on Mac need to be packaged into one file for transmission. This is frequently done by archiving into .dmg file, but can also be done by zipping into .zip. Bug: 600392 Change-Id: Ie7c137307ace593dde95bd7311bc32ed71bbc55b Reviewed-on: https://chromium-review.googlesource.com/603881 Commit-Queue: Micah Morton <mortonm@google.com> Reviewed-by: Jialiu Lin <jialiul@chromium.org> Reviewed-by: Steven Holte <holte@chromium.org> Cr-Commit-Position: refs/heads/master@{#492704} [modify] https://crrev.com/0b415f14a94fd3e4c8ff5cad64779ecd3d2335cc/chrome/browser/safe_browsing/sandboxed_zip_analyzer_unittest.cc [modify] https://crrev.com/0b415f14a94fd3e4c8ff5cad64779ecd3d2335cc/chrome/common/safe_browsing/zip_analyzer.cc [modify] https://crrev.com/0b415f14a94fd3e4c8ff5cad64779ecd3d2335cc/tools/metrics/histograms/histograms.xml
,
Nov 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by penny...@chromium.org
, Apr 4 2016Owner: nparker@chromium.org