Any changes such as filename can be made in rip.php for exploitation

I got it is also working on chromium 56.0.2924.87 build browser apps


Thanks

The rip.php and facebook.apk should be present in the same directory

Tested On android 5.1 arm 

This seems to be an android issue.

Yes Sir 
This is an android isue 

Any updates on this ???

Thanks for reporting the issue. It seems like a WontFix (intended behavior) to me so please correct my interpretation of the report.

Are you trying to report that any APK can be downloaded with a different name (out.apk) than the filename (facebook.apk) on the server?
How's that more insecure from the case that the server serving the APK being downloaded with the different name itself? That is, the server stores it as facebook.apk and serves it with that same name?

Also, Android restricts the installation of malicious APKs at install time, not during the download.

No I am not trying to report that any APK can be downloaded with a different name (out.apk) than the filename (facebook.apk) on the server?

==================================================================================
I reported this issue for demonstrating "Chrome Download protection bypass on Android"

Any malicious apk or file can be downloaded without prompting to user and no interaction required from user like click or tap or save or download button.
 
This demonstration shows How any apk or executable file can be downloaded forcefully to any android phone(Downloaded Directly to "Downloads" directory of android phone)

This bypasses the malicous apk or file warning prompt on Chrome browser android when a user tries to download a Apk or excutable file from a site
E.g.:- Attached x.png


Thanks for the reply 
Looking for further assistance if doubt or query occured on this report

Deleted: x.png 135 KB

	x.png 135 KB View Download

Bypassing the APK warning seems like a bug.  Downloading without a user gesture is likely also a bug, though it depends on if there was another gesture that may be allowing it.  

Attacker Just need a webpage to host rip.php in any iframe or img HTML tag
when the target user visits the page the malicious apk will start downloading.
And Downloaded to "Downloads" directory of target user android phone.


Thanks for the reply 
Looking for further assistance if doubt or query occured on this report
 

I am wondering why .apk file can skip the safe browsing checking.
.apk is listed as a dangerous file type now, so the dangerous infobar should popup.
I noticed that there are 2 content-dispositions in the rip.php, one is pdf, the other is apk, may that be related?

YES

This attack is something like HPP(HTTP Paraameter Pollution) 
I like to call it as HTTP Header Pollution Attack (HHP)

It seems like chrome browser is confused between two "Content-Disposition" headers
First one is 
          Content-Disposition: attachment; filename=out.pdf
which is used for pdf files ,chrome browser thinks the file should be a PDF format file 

But due to second header
          Content-Disposition: attachment; filename=out.apk
which is used for APk format file this header forces the browser to download/use it as out.apk

In this scenerio the chrome thinks the served file from server is a PDF file so it allows downloading of content.(Chrome allowed PDF files to be downloaded without any restriction/prompt/warning)So the Chrome satisfy the safe browsing check.And it allows the file  
But actually the served file from server is an APk file on this time the chrome allows it like a PDF file. So the file gets downloaded without any restriction.


Any chances for fix ??
 
Thanks for the reply 
Looking for further assistance if doubt or query occured on this report

Are you able to reproduce ??

Varun, this sounds like a safe browsing issue. Please triage.

Sites can use multiple content-disposition headers to confuse chrome.

Any updates on this ??

Thanks again for reporting. I'm currently investigating this and will post updates soon.

OK, I have been able to reproduce it and it seems like working as intended but I'll let asanka@ make that call since he is the author of (or most familiar with) that code.

Test site (temporary): http://104.196.247.192:9000/a.htm and http://104.196.247.192:9000/server.php

Observations:
- It seems to be unrelated to the headers. I was able to repro it without adding confusing headers.
- This behavior doesn't reproduce if you need to click on the link to get the PHP file. If you open a.htm linked above and then click on server.php, the prompt for APK is shown.
- This behavior does reproduce if you type the path to the APK in the omnibar directly and hit enter. For example, go directly to: http://104.196.247.192:9000/server.php or even http://104.196.247.192:9000/facebook.apk

Here's the code that makes that decision:
https://cs.chromium.org/chromium/src/chrome/browser/download/download_target_determiner.cc?sq=package:chromium&l=897

Notice the comment: "we consider a download to be legitimate if... The user navigated to the download URL via the omnibox (either by typing the URL, pasting it, or using search)."

To be explicit, this is the condition that triggers the silent download:
(download_->GetTransitionType() &
        ui::PAGE_TRANSITION_FROM_ADDRESS_BAR)


(true when URL is typed directly in the omnibar)

Taking the server down. asanka@ -- please ping me if you need to use it and I'll bring it back up.

This is WAI. We don't prompt for downloads where the user has typed or copied and pasted a URL into the address bar. The explicit user action involved in downloading such files is taken to be indicative of the user expecting the download. In that case, putting up a "this file might be harmful" warning isn't likely to be useful.

Just host the attached poc.php file on a working PHP server
Put facebook.apk and poc.php in same folder 
Now navigate google chrome to that directory like http://localhost/PoC/
Click/tap on poc.php from that index page of that directory

File Download protection bypassed

File starts downloading 

That POC.php is also used in IFRAME html tag to exploit


If you can not understand this or can not reproduce this, I will make a video on this exploitation

This attack is working on latest chrome browser avilable on Play Store

Just ping me for any help or query 

Deleted: poc.php 575 bytes

poc.php 575 bytes View Download

edit comment 23 
That POC.php can be used in invisible IFRAME html tag on a webpage to exploit

On desktop we start downloading right away to save the user time while browser ask them whether they want it saved or not. If they don't browser should stop the download and delete the file. This seems like a fair trade-off on a high-bandwidth desktop,
This might be a terrible idea for a bandwidth-constrained mobile device. (then again, a malicious browser page can suck your bandwidth in the background without you noticing as long as they can keep you interested in that page.)

only one header('Content-Disposition: inline; filename=facebook.apk');
is enough to reproduce this issue

Video POC

Deleted: protection bypass chrome.mp4 4.3 MB

	protection bypass chrome.mp4 4.3 MB View Download

click.html and rip.php inside attached .7z file

unpack this .7z file in your public folder of PHP web server

to reproduce follow steps same as video poc  

Deleted: chrome_poc.7z 643 bytes

chrome_poc.7z 643 bytes Download

Moving back to myself to investigate further.

2 times you closed it as wontfix
please clear me are you able to understand my poc and report ???

narendrathehacker@gmail.com: I am also the one who reopened it (WontFix to Unconfirmed) for further investigation :)

PSA: I won't be able to get to this before Monday.

Thanks for sharing the video and the new PoC.
Your video clearly demonstrates that this happens but I am unable to reproduce it even with the new PoC.
Take a look at what I get in the attachment.

Please note that I am using the latest Stable version of Chrome (56.0.2924.87) on Android but you reported this on 49.*, which is very old.

Would it be possible for you to:
1. Try this on latest version of Chrome for Android and see if it reproduces?
2. Share the URL to your PHP server? Perhaps I am doing something wrong in running the server.

Deleted: UnableToRepro.png 140 KB

	UnableToRepro.png 140 KB View Download

I am using recently updated chrome browser for android 
Updated on Feb 1 2017

Have a look on attached video POC

I am using a XAMPP Server on my ubuntu 16.04 linux distro
 

Deleted: 2.mp4 5.3 MB

	2.mp4 5.3 MB View Download

At the time of reporting im using 49.* version but now im on latest version

Thank you for providing more feedback. Adding requester "vakh@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

XAMPP SERVER DETAILS :-
PHP version PHP/5.5.6 
Apache/2.4.7 (Unix) OpenSSL/1.0.1e PHP/5.5.6 mod_perl/2.0.8-dev Perl/v5.16.3 

I'm sorry but I am still unable to reproduce this locally. I have tried it with: "PHP 5.6.30-0+deb8u1" as well as "PHP 5.5.9-1ubuntu4.21"

The videos you shared are helpful in proving that it happens so thanks for sharing them, but I can't make any further progress with the information I have so I request you to share a link to a server that allows me to try this out and reproduce the problem.
In the absence of such a PoC, I'm afraid, there's nothing actionable for me.

Chrome versions tried: Chrome Canary for Android (59.0.3032.0), Chrome Dev for Android (58.0.3026.5), and Chrome Stable.

Did you tried on this on LAN or in private internal network with no port forwarding.
Because im able to do this on my wifi network.
Please give it a try . 

Thank you for providing more feedback. Adding requester "vakh@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.

How im able to produce this issue

First I create wifi hotspot on my android phone
then connect my laptop to that wifi hotspot 
start and host attached poc files via XAMPP server on my laptop
Now I navigate through server url to poc files

Thats all

Looking for further assistance if doubt or query occured on this report

so are you able to reproduce now??

Any updates??

narendrathehacker: Please provide a publically reachable server that demonstrates this, since we can't repro it locally.  There may be something about your local environment that is causing it. If that's not possible, then we'll close WontFix since there's nothing to do.

rip.php
=====================
rip.php
<?php
$file = 'facebook.apk';
header('Content-Type: application/no-thing-here');
header('Content-Description: File Transfer');
header('Content-Disposition: inline; filename=facebook.apk');
header('Connection: Keep-Alive');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
?>

=============================================================
xframe.php

<a href="rip.php" onclick="test()" >CLICK HERE FOR BYPASS</a> 
<script>
function test(){
 document.write("<h1>BYPASSING FILE DOWNLOAD PROTECTION ON GOOGLE CHROME ANDRIOD</h1>");
 document.write("<h2>Check Downloads directory of your phone</h2>");
}
</script>

======================
frame.html

<html>
	<body>
		<iframe src="xframe.php" height="800" width="800">
	</body>
</html>

Save this all files in same directory with a facebook.apk

Visit frame.html 
now click on "CLICK HERE FOR BYPASS"

finally chrome will start downloading our facebook.apk

I dont have any public server 
Please follow my above mentioned steps



Regards
Narendra

Thank you for providing more feedback. Adding requester "nparker@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I setup a public server and tried it (not PHP, but exactly the same headers), and couldn't repro -- I get the appropriate warning. 

Android webview is not pre-installed on every android phone
please first uninstall it
by using playstore

uploading files to a public server
and creating video poc also 
please wait

Visit this link
https://debug-cloned-defender.c9users.io:8081/chrome/frame.html

click for bypass

Done

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot