Issue metadata
Sign in to add a comment
|
Security: SDCH .dct Files: Remote Auto-Download & Local JavaScript Content Executed
Reported by
wildbugs...@gmail.com,
Sep 10 2016
|
||||||||||||||||||||||
Issue descriptionPlease refer to the attached .pdf report as an aid that may assist the reader through format/style. -- --- ** NOTE: The reason I have submitted the two (2) ISSUE’s together and combined them in this report is because the presence of the 2nd ISSUE opens up an especially relevant attack vector. ** --- -- SDCH ISSUE NO. 1: REMOTE SHARED DICTIONARY FILES (.DCT) AUTOMATICALLY DOWNLOADED TO LOCAL FILE SYSTEM Remote files with the Shared Dictionary extension (.dct) are automatically downloaded to the user’s local file system (Downloads directory) without prompting or warning. (Google Chrome Version 52.0.2743.116 m / 64-bit). As there appears to be no business reason for this behavior, or really for the SDCH file to be accessible outside of the browser’s sandbox at all, it appears this behavior may be placing users in unnecessary risk. In contrast, when using Chrome to navigate to remote sources of other file types: if the file type is downloaded automatically the application generally stores it within the containment of the browser’s virtual file system. In the case if/when a file is stored locally outside the browser’s virtual storage, the user is typically presented with an informational pop-up, a warning or prompted to verify this action before the application proceeds to save this file to the local disk. Additionally, with some file types that could potentially contain malicious payloads and/or delivery, Chrome will act upon its internal content sniffing (detection) and render it as benign. However, in the case of Shared Dictionary files (.dct), no measures are taken to validate the download or inform the user of the potential security risk(s). As an example, the URL below was navigated to by typing it into the address bar: https://www.google.it/sdch/llEW5nEn.dct For completeness, the raw HTTP request generated by the browser was: GET /sdch/OP1sfYxf.dct HTTP/1.1 Host: www.google.kz Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Accept-Encoding: gzip, deflate, sdch, br Accept-Language: en-US,en;q=0.8 The server subsequently returned the following response: HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: application/x-sdch-dictionary Date: Wed, 07 Sep 2016 12:20:37 GMT Expires: Thu, 07 Sep 2017 12:20:37 GMT Cache-Control: public, max-age=31536000 Last-Modified: Wed, 07 Sep 2016 00:03:40 GMT X-Content-Type-Options: nosniff Server: sffe Content-Length: 149037 X-XSS-Protection: 1; mode=block Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32" Domain: www.google.kz Path: /search bvch\",\"u\":location.href,\"e\":\"\",\"bvch\":false,\"bv\":24,\"us\":\"c9c918f0\"});\u003C\/script\u003E\u003Cscript\u003Eje.api({\"n\":\"ad\",\"t\":\"Ð - Ð?оиÑк в Google\",\"e\":\"tophf\",\"h\":\"\\x3cinput name\\x3d\\x22newwindow\\x22 value\\x3d\\x221\\x22 type\\x3d\\x22hidden\\x22\\x3e\\x3cinput name\\x3d\\x22name\\x3d\\x22biw\\x22 value\\x3d\\x221\\x22 type\\x3d\\x22hidden\\x22\\x3e\\x3cinput name\\x3d\\x22hl\\x22 value\\x3d\\x22ru\\x22 type\\x3d\\x22hidden\\x22\\x3e\ilrpc\",\"h\":\"\",\"is\":_loc,\"ss\":_ss});\u003C\/script\u003E\u003Cscript\u003Eje.api({\"n\":\"p\",\"i\":\"easter-egg\",\"h\":\"\",\"i ... <snip> As captured in the screenshot below (see attached image, “Remote_dct_Files_AutoDownloaded.PNG“), the OP1sfYxf.dct file was automatically downloaded into my user’s Downloads directory, without any warning or prompting. The following URLs (instances) were also confirmed to exhibit the same behavior: https://www.google.com/sdch/Q6O8lUuP.dct https://www.google.kz/sdch/OP1sfYxf.dct https://www.google.jo/sdch/e6nSd0RY.dct https://www.google.it/sdch/llEW5nEn.dct https://www.google.iq/sdch/DTLPwP0g.dct https://www.google.com.kw/sdch/w2Qt0ha0.dct https://www.google.co.kr/sdch/93AxhCbZ.dct https://www.google.co.jp/sdch/YHNFftCO.dct For how this auto download behavior could be abused by an attacker, and to more specifically as to why the .dct file type could be a dangerous candidate for local (auto)download, please refer to the 2nd issue (see “ISSUE No. 2” below); which is that JavaScript contained in a .dct file will be executed when loaded locally. ** NOTE: The reason I have submitted these two (2) ISSUE’s together in this report is because the presence of the 2nd ISSUE opens up an especially relevant attack vector(s), of which I am unsure if this behavior is known, accepted/intended functionality; or if it’s unknown, in which case the said exploitation vector documented in ISSUE No. 2 would be pertinent for assessing the security threat posed by ISSUE No . 1 ….(Never mind, …please just bear with me.) ** SDCH ISSUE NO. 2: LOCAL SHARED DICTIONARY FILES (.DCT) EXECUTE JAVASCRIPT CONTENT As mentioned above in ISSUE No. 1, I am reporting that JavaScript contained in a .dct file will be executed when loaded (read: rendered) from a local source. As a proof of concept, a file named “Test_File_1.dct” was hosted on a web server. This file contained the following content: <html><body> <br> <h2> *.dct Files Downloaded Automatically to user's local download directory</h2> <br> <h3>JavaScript contents are executed when a file with *.dct extension is loaded into the browser.<h3> <script>alert("JavaScript is executed")</script> </body></html> When the Chrome browser (Version 52.0.2743.116 m / 64-bit) navigates to this remotely hosted file, it is automatically downloaded (directly into the user’s local download directory; without warning or prompts; ref. ISSUE No. 1, see above.) and it is rendered as benign text; of which both behaviors are captured (read: evident) in the screenshot below (see attached image, “Remote_dct_File_Rendered_Benign.PNG”). If this same test file is then loaded by the browser from the local copy that the browser has just auto-downloaded (saved in the user’s “Downloads” folder), it can be seen from the alert ‘pop-up’ in the screenshot below that the JavaScript is executed when the page is rendered by the browser (see attached image, “Local_dct_File_Rendered_JavaScript_Executed”). Of course, how the browser renders content for the remotely hosted file can be controlled, for example, through various HTTP headers (e.g. Content-Type: application/x-sdch-dictionary); in which case the onus is placed on whomever is serving the file (web dev/admin/architect/etc.). However, when the browser loads a local file, there is no entity (read: middleman) that can revise or add HTTP Headers. Thus, without protection from such mechanisms, the user must rely upon the browser’s content sniffing, and its mitigative (re)actions. Notable with this attack vector: If a victim of the auto-download IS convinced/coerced/ignorant and DOES open this local .drt file with the Chrome browser, the attacker’s malicious payloads (JavaScript) will be run under the relaxed security policies that the browser enforces with respect to local files; thereby giving an attacker additional avenue(s)/vector(s) to increase their privileges/authorization or to simply perform an attack. Discussion (‘Two-cents’ Digression?): Conventionally, .dct files are ‘silently’ fetched (in the background) by a browsing agent that retrieves a .dct file from a location specified in a Get-Dictionary (HTTP Response Header). These HTTP requests for the file, its storage, its parsing, etc. are all intended to originate and operate within the browser’s virtual environment/storage (i.e. the Brower’s Sandbox). So it almost seems like Chrome slips down a weird code path where the conditions for auto download were not checked because it was assumed to only have an origin from within the sandbox; however, when a .dct resource is requested through an action that originates from outside the sandbox (e.g. navigation via the address bar or an <A HREF> link) the browser neglects to (re)iterate through the auto-download policies and conditions. (I am sure this is either entirely obvious, or entirely wrong.) I look forward to hearing back on how Google would assess the risk, if any, is posed by Chrome's behavior w.r.t. SDHC files. Cheers, Charles
,
Sep 11 2016
,
Sep 12 2016
vakh please can you triage this safe browsing report.
,
Sep 13 2016
,
Sep 14 2016
Hi, Okay, there's a couple subtleties that I would like to point out to contrast between the foo.foo file example and the .dct file. When I click on your file link the browser prompts me to download via a saveas file selection pop-up window; whereas with the .sdc file, it automatically gets put in the downloads folder. Also, when I navigate directly to the URL in href link (https://whytls.com/test/foo.foo) the browser renders the file as plain text - it does not get downloaded to my downloads directory. As for the priviledge escalation w.r.t. loading a local html file verses a remote file, the increased privilege and available actions that the Javascript can perform in the local case is plentiful. For instance, local file/share access, NetNTLM cred transfers, various protocol handlers that only 'pop' when/if loaded locally, etc., etc. Of course, this privilege escalation is not what I am reporting on and simply exists (mentioned here only towards providing a PoC). To help clarify a valid attack vector of significant threat, take RFD (remote file download; or Drive-by Download). Now of course, an attacker can not control the file extension in this case, however if a victim has enticed a user to visit a malicious page, the Javascript could: i). Download the .dct file silently in the background, then ii). Load that file, which contains JavaScript that iii). Executes/Runs under the context/permissions of a locally loaded file. Which is something malicious Javascript can't do on it's own if a user visits a malicious page; nor can it do so by leveraging an dictionary file with malicious payloads so long as it's stored/runs within the browser's sandbox. Hope that helps, Charles
,
Sep 14 2016
I'd like to understand your claim "ii" that an attacker can "Load that file". By what means is an attacker able to load the downloaded file? He could certainly ask the user to open the file by clicking on it and selecting a browser to open it, but I do not see any method by which he can load the file automatically. Chrome's behavior with regard to downloads of uncommon file types is subtle and confusion is understandable. When the browser is asked to navigate to a given URL, it often does not know a priori whether the result will be a new document in the browser window or something that gets treated as a file download. The determination that the result should be treated as a download is made based on: 1. Whether the <A> tag linking to the target has a HTML5 "download" attribute (indicating that the result should be treated as a download regardless of the browser's ability to render the content) 2. Whether the target resource's HTTP headers specify "Content-Disposition: attachment" (indicating that the result should be treated as a download regardless of the browser's ability to render the content) 3. The MIME type of the target resource, typically specified by the web server in a Content-Type response header; sometimes determined by "sniffing" the bytes of the resource to determine whether it represents a known type. If the type so specified or determined cannot be rendered by the browser, it is treated as a download. As a general rule-of-thumb, browsers do not care about the file extension of the URL (except IE, which uses it as an input into its sniffing algorithm). In the case of the foo.foo file, the reason it renders in plaintext when you navigate to it is that my server declares the MIME type to be "Content-Type: text/plain"; if it instead specified, for instance, "text/html" the content would be treated as HTML and embedded script would run. > the browser prompts me to download via a > saveas file selection pop-up window This generally is not the case. Do you have the non-default setting "Ask where to save each file before downloading" in chrome://settings/search#downloading enabled? If not, it's also possible that you're encountering a quirk of the ALLOW_ON_USER_GESTURE behavior for some file types, whereby sites you visit regularly can download the type without notice while those you do not get an extra prompt. If the .foo file were moved to the same server as the .DCT file, you would likely see identical behavior. >For instance, local file/share access, >NetNTLM cred transfers, various protocol >handlers that only 'pop' when/if loaded locally, etc., etc. You may find that the level of granted permission is lower than you expect thanks to the handling of same-origin-policy for File:// resources in Chrome. I'm not aware of any mechanism in Chrome for a protocol handler to limit itself to only launching via the File protocol, but I'd be interested to hear which do. >dictionary file with malicious payloads so long as it's >stored/runs within the browser's sandbox. To be clear here, no matter how you open the .DCT file (via a local file:// URI or via a HTTP url) the file always loads within the browser's sandbox.
,
Sep 14 2016
Hi, Not sure why your tone is so aggressive here. I am only trying to patiently explain this to you. You have misunderstood a number of things I tried to explain, so I will try better to explain them. I will try to tackle them one at a time, but I feel as though I am now defending myself, which is not only poor posture to feel given the circumstances; but defending petty side facets in my follow-up comments that are widely known, accepted, practiced in the industry. Firstly, I should mention that I placed the foo.foo file on my server, and as expected and as with any other file, the saveas dialogue box pops up (as per my settings in Chrome). That without a doubt, this behaviour with the .foo file is different that with the .dct file. You wrote, "I'm not aware of any mechanism in Chrome for a protocol handler to limit itself to only launching via the File protocol, but I'd be interested to hear which do." Okay, what? With all due respect, your comment(s) are indicative of your confusion. What I was referring to was not protocol handlers that limit themselves to those launched via the File protocol....as I'm not even sure what that is or if it's possible. So you're saying something like: "File://PHandler://foobar". Regardless, this is not what I wrote. I wrote that some protocol handlers often have limitations based on their origin and/or their use can not be instantiated or act unless from a local origin. Plus, this taken from my list of ways that JavaScript running from a local file has different privileges than those remotely, and has no real relevancy to the issue I reported. You wrote: "You may find that the level of granted permission is lower than you expect thanks to the handling of same-origin-policy for File:// resources". EXACTLY, I AGREE! Which is my point when I say that Javascript executing from this local origin is dangerous. You wrote: "I'd like to understand your claim "ii" that an attacker can "Load that file". By what means is an attacker able to load the downloaded file?" Are you kidding me? This should really be triaged by someone who knows how to load a local file via JavaScript. In fact, that's a great Google query for those who don't know "How to load a local file using JavaScript. You wrote: "To be clear here, no matter how you open the .DCT file (via a local file:// URI or via a HTTP url) the file always loads within the browser's sandbox." You have clearly misunderstood this attack and some concepts required to understand the report. When the browser loads a .dct file via specified in a Get-Dictionary Response Header, the browser stores this in it's sandboxed file architecture (virtual file system); which is night and day different that storing it in the users' download directory. And this was only mentioned in the discussion at the end of the report and has no real bearing on the issue. It doesn't matter how the files are marked as 'download', whether it was through MIME, http headers, content sniffing or otherwise, what matters is the behaviour or vector in which they are downloaded. But that's beside the point, again. (I don't feel Chrome's behavior with regard to downloads of uncommon file types is subtle or confusing, maybe this should be triaged to someone who doesn't find them confusing.) Please don't attack me with snooty commentary just because you don't understand something. Humility is how anyone learns. Respectfully, HM
,
Sep 14 2016
I apologize if you find my tone aggressive in any way-- I'm curious to understand your report. I'm asking questions because I'm concerned that there are missing details. Perhaps someone else will have a look and clarify whether they see something that I do not. > (as per my settings in Chrome) Can you clarify which setting do you have set that results in a prompt for downloading a "foo" file but not a "dct" file? By default, I do not receive prompts before either file downloads. If I enable the "Always ask where" setting, I receive prompts for both file downloads. > knows how to load a local file via JavaScript. Would you mind humoring me with a repro page that runs on a web server on the Internet and opens a local file via JavaScript without a user specifically selecting the local file via an INPUT TYPE=FILE? This would be an interesting vulnerability. > I wrote that some protocol handlers often have limitations > based on their origin and/or their use can not be instantiated > or act unless from a local origin. Would you mind humoring me with an example? In IE, this is possible for Asynchronous Pluggable protocols (see https://blogs.msdn.microsoft.com/ieinternals/2011/07/13/understanding-protocols/) but I'm not aware of any mechanism to achieve that in Chrome. The *only* exception of which I'm aware is that a HTML document loaded via file:// may use file:// for its subdownloads. This is, as you noted, somewhat interesting because it potentially results in the transmission of NTLM hashes. >> "You may find that the level of granted permission >> is lower than you expect thanks to the handling of >> same-origin-policy for File:// resources". > EXACTLY, I AGREE! Which is my point when I say that Javascript > executing from this local origin is dangerous. My point is that, in Chrome (unlike IE) the Same-Origin-Policy is *more* restrictive for file:// loaded resources. In Chrome, the origin for file://-loaded resources is unique, blocking access to other files. An attacker running JavaScript from a file://-served HTML file in Chrome has "broken into jail."
,
Oct 21 2016
+cc: mmenke@, rdsmith@ -- based on some other discussions, I gather that you guys know about SDCH file behavior and handling in Chrome. If I'm wrong, please accept my apologies and feel free to unsubscribe. elawrence@ -- Thanks for the initial triage. wildbugs2secureharbors@gmail.com: Thanks for reporting this issue. I apologize for the confusion in this comments. To be able to triage this issue better, can you please: 1. Confirm that a .DCT file is not opened by a web browser by default? My research suggests that it double-clicking it typically opens CAD software or Microsoft FoxPro. 2. Share a PoC that demonstrates that running JavaScript locally is dangerous. Lack of a PoC is an important part of being eligible for the bounty. I'd also like to clarify that automatic download of the file isn't considered dangerous by itself. For a download to be considered dangerous, it should be launchable with little or no user action, and must harm the user in a demonstrable way.
,
Oct 21 2016
This doesn't really seem to have anything to do with SDCH. This is the default behavior when navigating to a MIME type that we don't know how to display. Unless receiving an SDCH Content-Type for a download indicates somehow it's more likely to be malicious than the exact same file with a binary/octet-stream MIME type, I don't think there's any problem here, at least as far as SDCH is concerned?
,
Oct 25 2016
Thanks mmenke@ I'm marking this bug as WontFix for now. Please re-open it if you have more information or answers to my questions in #c9. Thanks.
,
Feb 1 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 10 2017
This wasn't actually a security bug, and wasn't restricted before. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 11 2016