Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 1 user
Status: WontFix
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment
Save Image As can be used to smuggle a batch script
Reported by ronaldod...@gmail.com, Jul 19 2016 Back to list
UserAgent: Mozilla/5.0 (Linux; Android 5.1.1; SM-J700H Build/LMY48B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.81 Mobile Safari/537.36

Steps to reproduce the problem:
The reproduction i put it in a zip file

What is the expected behavior?
When saving an image from an html file it should be jpeg file. But i use an image with file extension of *.bat file which is definetly some non technical user to fall from simple attack. POC and code is in here.

https://1drv.ms/u/s!AlskQyNHV3VTgjdhIlfUeMMGSqws

What went wrong?
Here is the Poc and Code 

https://1drv.ms/u/s!AlskQyNHV3VTgjdhIlfUeMMGSqws

Did this work before? N/A 

Chrome version: 51.0.2704.81  Channel: stable
OS Version: 7 Ultimate
Flash Version:
 
Comment 1 Deleted
Owner: nparker@chromium.org
I confirmed that Chrome does indeed save the image, upon explicit user action, as a .bat file, which can be executed to launch calc.exe.

That actually doesn't concern me so much because from Windows perspective, the file is a .bat file, so Chrome is just saving it as the OS will interpret the file. 

However, I'm surprised I never got a safe browsing prompt. Possibly because I am running the webpage, and downloading the file, from local storage? nparker, do you know what the correct beahvior is? Thanks.
Comment 3 Deleted
Project Member Comment 4 by sheriffbot@chromium.org, Jul 20 2016
Status: Assigned
Cc: jialiul@chromium.org
Components: Services>Safebrowsing
+jialiul -- will this be caught by the fix for page-saving?
Status: WontFix
WAI. Image-saving goes through regular download protection checks. 
Reasons:
(1) download protection checks downloads (including images) based on its resolved file type (in this case, *.bat). 
(2) If this bat file is really bad (not just a rename of a jpg) and hosted remotely (not as file:// on your local machine), safe browsing service checks it as regular download of a bat file.

BTW, "This type of file can harm your computer" warning will only be shown if you disabled safe browsing service or for some reason SB service is not reachable. 
Comment 7 Deleted
Comment 8 Deleted
Hi ronaldodeweybeutista@,
Thanks for reporting it. 
It doesn't matter where you host the page or the bat/image file. The main reason I marked this as WAI is because when user do a "save image as", no matter what file type it resolves to, this download is checked by safe browsing service. So if the download is truely malicious, and google knows about it, a warning will be shown. (of course, if google does not know about it, there is nothing chrome can do, and it does not need to be hide as image either.)
WRT your thought on whether it should be resolve to a image type instead of a bat type, being different from mozila does not mean it is a bug.
The bottom line is, nothing bypasses safe browsing service.
Besides SafeBrowsing, shouldn't there be a "mark of the web" prompt for the downloaded bat file? It sounds dangerous to me that clicking the downloaded bat simply runs it with no prompts.
Yeah . It runs with no prompts
Cc: asanka@chromium.org
Components: UI>Browser>Downloads
Status: Untriaged
Cc: -asanka@chromium.org nparker@chromium.org
Components: -Services>Safebrowsing
Owner: asanka@chromium.org
Status: Available
Thanks for the comment, meacer@! It is indeed a mark-of-the-web issue. 
I tried two cases: (1) directly download the sample.bat file, (2) download the sample.bat file by using "save image as..." as described in this issue (sample (1).bat). 
For both cases, download protection service checked the bat file, and mark-of-the-web were applied (differently).

>dir /r sample*
07/22/2016  11:10 AM            33,819 sample (1).bat
                                    29 sample (1).bat:Zone.Identifier:$DATA
07/22/2016  10:44 AM            33,819 sample.bat
                                    26 sample.bat:Zone.Identifier:$DATA
               2 File(s)         67,638 bytes
               0 Dir(s)  854,311,292,928 bytes free

note:
Testing cases are host remotely, sample.bat directly downloaded, sample(1).bat is the one using "save image as..."

So I checked their ZondID
>notepad sample.bat:Zone.Identifier
[ZoneTransfer]
ZoneId=3

however,
>notepad sample (1).bat:Zone.Identifier
[ZoneTransfer]
AppZoneId=4


And since this is outside the scope of safe browsing service, removed corresponding component ID.



Labels: Security_Severity-Medium Security_Impact-Stable
Project Member Comment 15 by sheriffbot@chromium.org, Jul 23 2016
Labels: M-52
Project Member Comment 16 by sheriffbot@chromium.org, Jul 23 2016
Labels: -Pri-2 Pri-1
Project Member Comment 17 by sheriffbot@chromium.org, Jul 23 2016
Status: Assigned
Comment 18 Deleted
Project Member Comment 19 by sheriffbot@chromium.org, Aug 3 2016
asanka: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Comment 20 Deleted
Comment 21 Deleted
Project Member Comment 22 by sheriffbot@chromium.org, Aug 17 2016
asanka: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: -nparker@chromium.org asanka@chromium.org
Owner: nparker@chromium.org
Nathan, can you please help to find another owner for this.
Cc: elawre...@chromium.org
To summarize: "Save As" files don't have the proper MotW applied, so an image could become a dangerous file type that wouldn't show an OS-supplied warning.

elawrence -- Are you interested in landing a fix for this? 
RE #24, "Save as" is fine. Regular file saving has correct MotW applied. But "Save image as..." is not. 
Cc: -elawre...@chromium.org nparker@chromium.org
Owner: elawre...@chromium.org
Summary: Save Image As can be used to smuggle a batch script (was: Puting a image loaded with bat file to download by user.)
This:

    [ZoneTransfer]
    AppZoneId=4

... is what gets written when the Windows SmartScreen service analyzes the file and determines that it's harmless and thus eligible to have the Internet Zone MOTW removed. 

So I think the original determination of "Works as Intended" is correct, but I'll reconfirm by walking through the repro myself.
Status: WontFix
-= DOWNLOAD IS EVALUATED BY REPUTATION SERVICES =-
I walked through this repro on both Windows 7 and Windows 10 with the files hosted on an Internet server. In both cases, I see webservice hits to both SafeBrowsing and Microsoft SmartScreen containing information about the downloaded batch file. 

-= DOWNLOAD IS TAGGED WITH INTERNET ORIGINS =-
In both cases, a proper Mark of the Web is added as the file's Zone.Identifier alternate data stream with a value of ZoneID=3, indicating "Internet Zone." 

Upon invocation of the file, the MotW marker successfully triggers:

- Win7: the Windows Attachment Execute Services prompt 
- Win10: the Windows SmartScreen experience

In Windows 7, if you untick "Always ask before opening this file" before choosing to "Run", then the Zone.Identifier stream is deleted such that future invocations of the file do not trigger the security prompt (by design).

On Windows 10, if you elect to "Run Anyway", SmartScreen replaces ZoneID=3 with AppZoneId=4 such that future invocations of the file do not trigger the security prompt (by design). 

So, in summary, no security controls have been evaded by this repro.
Thanks for the detailed walkthrough, elawrence@! 
Project Member Comment 29 by sheriffbot@chromium.org, Dec 7 2016
Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment