Bypass Download Protection Mechanism in Chrome Browser
Reported by
uty...@gmail.com,
Nov 29 2016
|
||||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting Download Protection Bypass bugs within Chrome and is not for requesting a review of sites or binaries identified as malicious. VERSION Chrome Version: 54.0.2840.99 m Operating System: Windows 10 Home Version 1607 OS Build 14393.447 64-bit Operating System REPRODUCTION CASE Please include a demonstration of the Download Protection / Safe Browsing bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. 1. I browsed to filezilla website and clicked the button to download the file: https://download.filezilla-project.org/client/FileZilla_3.22.2.2_win64-setup_bundled2.exe 2. After the file downloaded the browser notify that "This type of file can harm your computer. Do you want to keep filename.exe anyway?" (attached screenshot), than I clicked on Keep button. 3. I discovered that if I will add to the name of the file in the end of the name (9), it will bypass the security mechanism. I discovered that any number after 5 will bypass the mechanism (attached screenshot of the new and old file). 4. I uploaded the new file with (9) in the end of the file's name to web server (attached screenshot). 5. I browsed via chrome browser to the URL of the executable file and the file downloaded successfully without any notification (attached screenshot). As a result, I bypassed the security mechanism. For more information fill free to contact me. Best Regards, Vladi Sandler utya18@gmail.com
,
Nov 29 2016
Tagging with current canary milestone.Please change if needed.
,
Nov 30 2016
,
Nov 30 2016
Hi, I tried to reproduce again and it is working. I successfuly bypass the security mechanism by download the FileZilla_3.22.2.2_win64-setup_bundled2 (9).exe file. Please just follow my steps in the PoC. If you want I can do a Video PoC. In addition attached a screenshot of my browser's security configuration. The Protect you and your device from dangerous sites mode is enabled. Best Regards, Vladi Sandler
,
Dec 1 2016
Thanks for reporting back. The thing is that I can't reproduce the warning on the original link that you posted: https://download.filezilla-project.org/client/FileZilla_3.22.2.2_win64-setup_bundled2.exe Let me summarize my understanding: 0. You have "Protect you and your device from dangerous sites". This has already been established based on your screenshot. 1. You get a warning when you download https://download.filezilla-project.org/client/FileZilla_3.22.2.2_win64-setup_bundled2.exe 2. But then you placed that same file on your server with a different name: "FileZilla_3.22.2.2_win64-setup_bundled2 (9).exe" 3. When you download the same file "FileZilla_3.22.2.2_win64-setup_bundled2 (9).exe" from your own web server, you do not get a warning from Chrome. So, can you please do the following for me: 1. You should not get any warning for https://download.filezilla-project.org/client/FileZilla_3.22.2.2_win64-setup_bundled2.exe -- can you retry downloading that? 2. If you still get that warning, is there a public URL that I can use to download "FileZilla_3.22.2.2_win64-setup_bundled2 (9).exe" from your webserver?
,
Dec 3 2016
Thinking outloud: I wonder if the download ping to SafeBrowsing is failing for some file-lengths, or maybe the protobuf in the report is exceeding a size limit... Or maybe some of the variability of behavior is due to ".exe" having danger_level=ALLOW_ON_USER_GESTURE for windows, which means it won't warn if you've visited that site yesterday or before. utya16: In addition to what vakh requested, can you also, 1) restart chrome, 2) reproduce the issue once, 3) copy the text of chrome://histograms/SBClientDownload into a file and attache it here? Thanks. I'll mark this "available" so we can have one more try at repro'ing it.
,
Dec 16 2016
,
Dec 16 2016
,
Dec 21 2016
utya18@, are you still experiencing the same problem? Could you do what #5 and #6 suggested?
,
Jan 13 2017
Please re-open if you are still experiencing this.
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Apr 22 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||
Comment 1 by vakh@chromium.org
, Nov 29 2016