New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 643897 link

Starred by 1 user
Status: WontFix
Owner:
vakh@chromium.org
Closed: Sep 2016
Cc:
asanka@chromium.org
nparker@chromium.org
jialiul@chromium.org
vakh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

Auto Download file on chrome linux version

Reported by m.as...@isecur1ty.org, Sep 3 2016 
UserAgent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/49.0.2623.108 Chrome/49.0.2623.108 Safari/537.36

Steps to reproduce the problem:
1. 
2. 
3. 

What is the expected behavior?

What went wrong?
we can download a default "download" file into the Downloads directory , without user interaction by playing with the MIME types through the data function. 

So the hacker can download a malware into the client machine without his permission and execute it later with serveral techniques like Social Engineering or any technical issuse like a normal executable file that runs our malware.

on our case , we successfully downloaded a bash script that could bind a command shell on the user machine and waiting for any connection.

Did this work before? Yes 

Chrome version: 49.0.2623.108  Channel: n/a
OS Version: 
Flash Version: 

This bug could be very good assistant to any hacker to accomplish a full successfully attack on the user machine.

The bug also works with android versions , but not confirmed on any windows versions.
final_chrome_exploit.html
609 bytes View Download

Comment 1 by m.as...@isecur1ty.org, Sep 3 2016 

For patching issues we can restrict the MIME types , or we can show a poup when "any" download could be accomplished.

Comment 2 by vakh@chromium.org, Sep 3 2016

Cc: asanka@chromium.org nparker@chromium.org jialiul@chromium.org
Components: Services>Safebrowsing>VRP Services>Safebrowsing
Owner: vakh@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 3 by vakh@chromium.org, Sep 3 2016

Status: WontFix (was: Assigned)
Thanks for reporting this issue.
The file is downloaded with the name "download" (no extension).

This is working as intended. We do not expect the malicious actors to be able to convince and guide the users into changing the file extensions of files on disk. It is doable, but we consider the user interaction needed here fairly non-trivial.

Comment 4 by m.as...@isecur1ty.org, Sep 3 2016 

but the attackers still can execute the downloaded file even if they can't change the file extensions , and this is the theory , download the "download" file into the user machine , and later we can execute it without even change the file extensions as i said.
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 10 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by vakh@chromium.org, Mar 10 2017

Labels: Restrict-View-SecurityTeam
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.

Comment 7 by vakh@chromium.org, Mar 10 2017

Labels: -Restrict-View-SecurityTeam
Removing the Restrict-View-SecurityTeam label since this isn't a security bug and was open before.

Sign in to add a comment