Issue metadata
Sign in to add a comment
|
Save Image As can be used to smuggle a batch script
Reported by
ronaldod...@gmail.com,
Jul 19 2016
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Linux; Android 5.1.1; SM-J700H Build/LMY48B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.81 Mobile Safari/537.36 Steps to reproduce the problem: The reproduction i put it in a zip file What is the expected behavior? When saving an image from an html file it should be jpeg file. But i use an image with file extension of *.bat file which is definetly some non technical user to fall from simple attack. POC and code is in here. https://1drv.ms/u/s!AlskQyNHV3VTgjdhIlfUeMMGSqws What went wrong? Here is the Poc and Code https://1drv.ms/u/s!AlskQyNHV3VTgjdhIlfUeMMGSqws Did this work before? N/A Chrome version: 51.0.2704.81 Channel: stable OS Version: 7 Ultimate Flash Version:
,
Jul 19 2016
I confirmed that Chrome does indeed save the image, upon explicit user action, as a .bat file, which can be executed to launch calc.exe. That actually doesn't concern me so much because from Windows perspective, the file is a .bat file, so Chrome is just saving it as the OS will interpret the file. However, I'm surprised I never got a safe browsing prompt. Possibly because I am running the webpage, and downloading the file, from local storage? nparker, do you know what the correct beahvior is? Thanks.
,
Jul 20 2016
,
Jul 20 2016
+jialiul -- will this be caught by the fix for page-saving?
,
Jul 20 2016
WAI. Image-saving goes through regular download protection checks. Reasons: (1) download protection checks downloads (including images) based on its resolved file type (in this case, *.bat). (2) If this bat file is really bad (not just a rename of a jpg) and hosted remotely (not as file:// on your local machine), safe browsing service checks it as regular download of a bat file. BTW, "This type of file can harm your computer" warning will only be shown if you disabled safe browsing service or for some reason SB service is not reachable.
,
Jul 21 2016
Hi ronaldodeweybeutista@, Thanks for reporting it. It doesn't matter where you host the page or the bat/image file. The main reason I marked this as WAI is because when user do a "save image as", no matter what file type it resolves to, this download is checked by safe browsing service. So if the download is truely malicious, and google knows about it, a warning will be shown. (of course, if google does not know about it, there is nothing chrome can do, and it does not need to be hide as image either.) WRT your thought on whether it should be resolve to a image type instead of a bat type, being different from mozila does not mean it is a bug. The bottom line is, nothing bypasses safe browsing service.
,
Jul 21 2016
Besides SafeBrowsing, shouldn't there be a "mark of the web" prompt for the downloaded bat file? It sounds dangerous to me that clicking the downloaded bat simply runs it with no prompts.
,
Jul 22 2016
Yeah . It runs with no prompts
,
Jul 22 2016
,
Jul 22 2016
Thanks for the comment, meacer@! It is indeed a mark-of-the-web issue.
I tried two cases: (1) directly download the sample.bat file, (2) download the sample.bat file by using "save image as..." as described in this issue (sample (1).bat).
For both cases, download protection service checked the bat file, and mark-of-the-web were applied (differently).
>dir /r sample*
07/22/2016 11:10 AM 33,819 sample (1).bat
29 sample (1).bat:Zone.Identifier:$DATA
07/22/2016 10:44 AM 33,819 sample.bat
26 sample.bat:Zone.Identifier:$DATA
2 File(s) 67,638 bytes
0 Dir(s) 854,311,292,928 bytes free
note:
Testing cases are host remotely, sample.bat directly downloaded, sample(1).bat is the one using "save image as..."
So I checked their ZondID
>notepad sample.bat:Zone.Identifier
[ZoneTransfer]
ZoneId=3
however,
>notepad sample (1).bat:Zone.Identifier
[ZoneTransfer]
AppZoneId=4
And since this is outside the scope of safe browsing service, removed corresponding component ID.
,
Jul 22 2016
,
Jul 23 2016
,
Jul 23 2016
,
Jul 23 2016
,
Aug 3 2016
asanka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 17 2016
asanka: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 25 2016
Nathan, can you please help to find another owner for this.
,
Aug 26 2016
To summarize: "Save As" files don't have the proper MotW applied, so an image could become a dangerous file type that wouldn't show an OS-supplied warning. elawrence -- Are you interested in landing a fix for this?
,
Aug 26 2016
RE #24, "Save as" is fine. Regular file saving has correct MotW applied. But "Save image as..." is not.
,
Aug 29 2016
This:
[ZoneTransfer]
AppZoneId=4
... is what gets written when the Windows SmartScreen service analyzes the file and determines that it's harmless and thus eligible to have the Internet Zone MOTW removed.
So I think the original determination of "Works as Intended" is correct, but I'll reconfirm by walking through the repro myself.
,
Aug 30 2016
-= DOWNLOAD IS EVALUATED BY REPUTATION SERVICES =- I walked through this repro on both Windows 7 and Windows 10 with the files hosted on an Internet server. In both cases, I see webservice hits to both SafeBrowsing and Microsoft SmartScreen containing information about the downloaded batch file. -= DOWNLOAD IS TAGGED WITH INTERNET ORIGINS =- In both cases, a proper Mark of the Web is added as the file's Zone.Identifier alternate data stream with a value of ZoneID=3, indicating "Internet Zone." Upon invocation of the file, the MotW marker successfully triggers: - Win7: the Windows Attachment Execute Services prompt - Win10: the Windows SmartScreen experience In Windows 7, if you untick "Always ask before opening this file" before choosing to "Run", then the Zone.Identifier stream is deleted such that future invocations of the file do not trigger the security prompt (by design). On Windows 10, if you elect to "Run Anyway", SmartScreen replaces ZoneID=3 with AppZoneId=4 such that future invocations of the file do not trigger the security prompt (by design). So, in summary, no security controls have been evaded by this repro.
,
Aug 30 2016
Thanks for the detailed walkthrough, elawrence@!
,
Dec 7 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 Deleted