Download Protection: SPARSEBUNDLE and SPARSEIMAGE files not checked on Mac OS X
Reported by
resea...@nightwatchcybersecurity.com,
Apr 5 2016
|
||||||||||||||||||
Issue descriptionVERSION Chrome Version: 49.0.2623.87 Official Build Operating System: Mac OS X El Capitan, version 10.11.3 REPRODUCTION CASE SPARSEBUNDLE and SPARSEIMAGE files are not checked by download protection on Mac OS. Problem is that you can take any DMG file and renamed it, and serve it that way. Mac OS will treat both the same. To replicate this issue, take any DMG file, stick it on a web server, and rename to an .SPARSEIMAGE or .SPARSEBUNDLE. Then download on Mac and double click. It will act the same way as a DMG. We can try to provide a patch. Same behavior as https://bugs.chromium.org/p/chromium/issues/detail?id=596354 but found later on
,
Apr 5 2016
jialiul -- Can you confirm try these and confirm this behavior? Then we should treat these like DMGs and report+parse them.
,
Apr 5 2016
FYI real .sparsebundle files cannot be directly downloaded from the web, since they are directories (.sparseimage files are plain files). Neither are currently supported by the DMG analyzer within Chromium, though. But renaming a .dmg to one of those extensions would trigger DiskUtility to open it regardless of the extension.
,
Apr 5 2016
Confirmed. Unfortunately, these types are not in our dangerous file type list, and they can be opened the same way as dmg.
,
Apr 5 2016
If we wanted to avoid using extension lists for this, it is possible to query the system for what application will open the file. That can be done with -[NSWorkspace URLForApplicationToOpenURL:].
,
Apr 6 2016
In addition to the extensions in comment, also .TOAST
,
Apr 6 2016
,
Apr 11 2016
,
Apr 18 2016
Merge request due to security implication. Thanks!
,
Apr 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cd719f651b57e7235f30b974e763e569f2cc9aeb commit cd719f651b57e7235f30b974e763e569f2cc9aeb Author: jialiul <jialiul@chromium.org> Date: Mon Apr 18 20:08:21 2016 Add more mac executable extensions BUG= 600613 Review URL: https://codereview.chromium.org/1881763002 Cr-Commit-Position: refs/heads/master@{#387995} [modify] https://crrev.com/cd719f651b57e7235f30b974e763e569f2cc9aeb/chrome/browser/download/download_extensions.cc [modify] https://crrev.com/cd719f651b57e7235f30b974e763e569f2cc9aeb/chrome/browser/safe_browsing/download_protection_service.cc [modify] https://crrev.com/cd719f651b57e7235f30b974e763e569f2cc9aeb/chrome/common/safe_browsing/download_protection_util.cc [modify] https://crrev.com/cd719f651b57e7235f30b974e763e569f2cc9aeb/content/browser/download/download_stats.cc [modify] https://crrev.com/cd719f651b57e7235f30b974e763e569f2cc9aeb/tools/metrics/histograms/histograms.xml
,
Apr 18 2016
research@nightwatchcybersecurity.com: Thanks for reporting the issue. As confirmed by jialiul@, we can reproduce this issue locally. I'll investigate whether it falls within the guidelines of the VRP program (it most likely does) and will update the issue shortly thereafter.
,
Apr 18 2016
I can confirm that the issue does indeed fall within the guidelines of the Download Protection bypass VRP. Sending to the panel for reward review.
,
Apr 18 2016
,
Apr 18 2016
,
Apr 19 2016
Pls confirm the change has baked in canary and verified safe? Thanks.
,
Apr 19 2016
[Automated comment] Request affecting a post-stable build (M50), manual review required.
,
Apr 19 2016
jialiul@ is waiting for canary to ramp up a little more to get meaningful data from UMA, we chatted and agreed not to include in this week's M50 stable refresh but potential future ones.
,
Apr 20 2016
tinazh@, I has verified this change in canary. Request permission to merge into later M50 stable refresh. Thanks!
,
Apr 20 2016
,
Apr 22 2016
Approving merge M50 branch 2661 based on Comment #17 & #18.
,
Apr 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e5a9304bd17eea442cc8a2a4f7a4bc75ac86bdac commit e5a9304bd17eea442cc8a2a4f7a4bc75ac86bdac Author: Jialiu Lin <jialiul@chromium.org> Date: Fri Apr 22 18:36:02 2016 Add more mac executable extensions BUG= 600613 Review URL: https://codereview.chromium.org/1881763002 Cr-Commit-Position: refs/heads/master@{#387995} (cherry picked from commit cd719f651b57e7235f30b974e763e569f2cc9aeb) Review URL: https://codereview.chromium.org/1919463002 . Cr-Commit-Position: refs/branch-heads/2661@{#622} Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081} [modify] https://crrev.com/e5a9304bd17eea442cc8a2a4f7a4bc75ac86bdac/chrome/browser/download/download_extensions.cc [modify] https://crrev.com/e5a9304bd17eea442cc8a2a4f7a4bc75ac86bdac/chrome/browser/safe_browsing/download_protection_service.cc [modify] https://crrev.com/e5a9304bd17eea442cc8a2a4f7a4bc75ac86bdac/chrome/common/safe_browsing/download_protection_util.cc [modify] https://crrev.com/e5a9304bd17eea442cc8a2a4f7a4bc75ac86bdac/content/browser/download/download_stats.cc [modify] https://crrev.com/e5a9304bd17eea442cc8a2a4f7a4bc75ac86bdac/tools/metrics/histograms/histograms.xml
,
Apr 25 2016
,
Apr 25 2016
,
May 2 2016
Thanks again for your report. Someone from our finance team should get in contact within 7 days to collect payment details. If that doesn't happen, please contact me directly at timwillis@ or update this bug.
,
Mar 9 2017
,
Mar 9 2017
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||
Comment 1 by resea...@nightwatchcybersecurity.com
, Apr 5 2016