DIAGPKG and associated files not checked on Windows
Reported by
resea...@nightwatchcybersecurity.com,
Apr 5 2016
|
||||||||||||||
Issue descriptionVERSION Chrome Version: 49.0.2623.110 (Official Build) m (32-bit) Operating System: Windows 2012 R2; version 6.3.9600 REPRODUCTION CASE DIAGPKG / DIAGCAB and DIAGCFG Files are used by the Diagnostics Troubleshooting Wizard. They can potentionally be malicious: https://threatpost.com/jumping-out-of-ies-sandbox-with-one-click/102054/3/ Chrome does not check these. We can provide a patch if needed.
,
Apr 6 2016
,
Apr 12 2016
,
Apr 18 2016
research@nightwatchcybersecurity.com: Can you please provide a step-by-step way, along with a proof of concept file, that shows how this issue can be used to exploit Chrome and execute an attacker controlled binary?
,
Apr 19 2016
You can package PowerShell scripts into a DIAGCAB file, the only thing needed to execute would be a digital signature. The step by step would be to create malicious powershell scripts, package them into a DIAGCAB file, digitally sign and give to the user. The digital signature is not from Microsoft but from any valid SSL authority. Example custom DIAGCAB file can be found here: https://github.com/Tulpep/Reset-IPv6/releases Source code here: https://github.com/Tulpep/Reset-IPv6 Microsoft provides a tool called WTP that allows people to create custom diagnostics packages under DIAGCAB extension. The tool is here: https://msdn.microsoft.com/en-us/library/dd323778%28v=vs.85%29.aspx More info here: http://blogs.microsoft.co.il/sasha/2009/09/05/creating-a-custom-windows-7-troubleshooting-pack/
,
Apr 20 2016
Sorry, I should have been clearer with my last comment and missed an important piece. I meant to ask you if there are any repro steps for a fully patched version of Windows? Even with a carefully crafted .DIAGCAB file, to possibly exploit this issue, the attacker needs to target a user running a version of Windows that hasn't been patched for more than 2.5 years. If that's the case, this isn't an important issue for Chrome because any user using such an outdated version of the OS has many more serious issues to get attacked by.
,
Apr 20 2016
Thanks for the clarification. The steps we describe in step 5 is a different issue then the original bug description. The original bug description is about a specific vulnerability - but what we are describing in comment 5 is ability to package executable code inside a DIAGCAB file as intended by Microsoft - not using this vulnerability. We are able to verify that the DIAGCAB file provided below executes on a fully patched version of Windows 2012 R2, 64 bit: https://github.com/Tulpep/Reset-IPv6/releases/download/2.0.13/ResetIPv6.diagcab What is required is a digital signature, but not from Microsoft, which can be easily obtained by an attacker from any legit SSL authority. The only thing that can possibly mitigate this is that the DIAGCAB file shows an introduction screen with a description and icon, but that is not a warning screen but is similar to the "NEXT" buttons used in regular installers such as MSI files, which are being checked on Chrome. Do you need a verification on a different version of Windows other than 2012 R2?
,
May 6 2016
,
May 13 2016
Just wondering if this issue is still being looked at
,
May 29 2016
We are including a patch for the new dynamic file type system
,
Jun 8 2016
,
Jun 10 2016
,
Jun 29 2016
Just wondering if there is an update on status of this. Thanks.
,
Jul 22 2016
checking on this
,
Aug 1 2016
ping
,
Aug 26 2016
CLosing as WontFix. If you have a complete repro, please feel free to reopen.
,
Mar 9 2017
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by nparker@chromium.org
, Apr 6 2016