MSU files are not checked
Reported by
resea...@nightwatchcybersecurity.com,
Apr 5 2016
|
|||||||
Issue descriptionVERSION Chrome Version: 49.0.2623.110 (Official Build) m (32-bit) Operating System: Windows 2012 R2; version 6.3.9600 REPRODUCTION CASE MSU files are standalone Windows update files which are CAB files with installation packages inside. Format is described here: https://support.microsoft.com/en-us/kb/934307 Chrome does not check these. It would be possible in theory to create a malicious one. Test file here: https://github.com/jherby2k/PowerShellAudio/blob/master/Deployment/Bootstrapper/Windows6.1-KB2819745-x86-MultiPkg.msu
,
Apr 5 2016
Same behavior applies to MLC files which are Language packs. Both MSU and MLC are executed by WUSA.exe which is part of Windows update.
,
Apr 5 2016
I can confirm that a user can just double-click on a downloaded MSU file and start the install process. However, I dialog is shown when that happens. See: https://youtu.be/8-PrXOvYDs0?t=89
,
Apr 6 2016
Interesting to note: When the user double clicks on an MSU file, the MSU file itself isn't executed. Instead, Wusa.exe is executed which reads the MSU file.
,
Apr 6 2016
,
Apr 6 2016
research@nightwatchcybersecurity.com: Thanks for filing the bug report. Can you please tell us how downloading and running a .MSU file can lead to "non-sandboxed code execution" on the user's machine? As I mention in #3 and #4, when a user double clicks on a file with extension .MSU, it launches WUSA.exe not the .MSU file itself. This would be similar to, for example, downloading a .PDF file and double-clicking it to open the default PDF application, and therefore is not in scope for the rewards program.
,
Apr 6 2016
,
Apr 6 2016
Microsoft provides a tool to create custom MSU Files, which contain Windows updates. They can be used to install software on a system - they are not just PDF files but are more similar to MSI files. The tool is called "Custom Updates Publishing Tool" and supports MSU as mentioned here: https://support.microsoft.com/en-us/kb/953592 HOWEVER, we do not have access to the tool in order to replicate this. Additionally, we are not sure whether Microsoft uses any kind of signature scheme for MSU files.
,
Apr 6 2016
Looks like by default only Microsoft-signed updates would be installed unless a certificate is installed into the registry: https://msdn.microsoft.com/en-us/library/bb902479(v=vs.85).aspx This would require local client settings to be changed first before a malicious MSU package is installed.
,
Apr 11 2016
Thanks for the additional information, research@nightwatchcybersecurity.com It is clear from #9 that executing the contents of an MSU file not signed by Microsoft is non-trivial. Therefore, under the rues of the reward program, this issue does not qualify for a reward: "The file type on disk must lead to non-sandboxed code execution after *minimal user interaction* with the file."
,
Mar 9 2017
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by resea...@nightwatchcybersecurity.com
, Apr 5 2016