New issue
Advanced search Search tips

Issue 771469 link

Starred by 1 user
Status: Fixed
Owner:
nparker@chromium.org
Closed: Nov 2017
Cc:
vakh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 2
Type: Bug



Sign in to add a comment

Download Protection Bypass: additional Microsoft Visio file-formats should get a Full Ping

Reported by bjornbjo...@gmail.com, Oct 4 2017 
VERSION

Chromium Version: Version 61.0.3163.79 (Official Build)

Operating System: Ubuntu 16.04.3 LTS 64-bit


REPRODUCTION CASE

in Ubuntu, libreoffice is the default program for .vsd, .vst and .vss files. Ubuntu treats .vsdx, .vsdm, .vssx, .vssm, .vstx, .vstm as file archives [they actually are zip files], so it is possible to bypass a Full Ping by compressing .vsd, .vst, .vss files to zip and renaming the .zip filename extension to .vsdx, .vsdm, .vssx, .vssm, .vstx or .vstm.


If libreoffice is installed on win7, it becomes the default program for .vsd, .vdx, .vsdx and .vsdm. It is possible to rename the filename extension of a .vsd file to .vdx, .vsdx or .vsdm and bypass a Full Ping.


Since the MS Visio filename extensions .vsd, .vst, .vss and .vsw are getting a Full Ping, MS Visio newer file-formats [ .vdx, .vtx, .vsx and .vsdx, .vsdm. .vssx, .vssm .vstx, .vstm] should probably 
get a Full Ping as well.
.vsdm, .vssm and .vstm files can store VB macros. The free program 
Microsoft Visio 2016 Viewer uses IE and ActiveX to open  .vsd, .vsdx, .vsdm, .vst, .vstx, .vstm, .vss, .vssx, .vssm files.

im attaching my test files.
VisioTest (1).vsd
42.0 KB Download
VisioTest (1).vsdx
23.6 KB Download
VisioTest (1) (3rd copy).vsdm
23.6 KB Download
VisioTest (1) (4th copy).vssx
23.6 KB Download
VisioTest (1) (5th copy).vssm
23.6 KB Download
VisioTest (1) (6th copy).vstx
23.6 KB Download
VisioTest (1) (copy).vstm
23.6 KB Download
VisioTest (1) (copy).vdx
42.0 KB Download
VisioTest (1) (copy).vsx
42.0 KB Download
VisioTest (1) (copy).vtx
42.0 KB Download

Comment 1 by nparker@chromium.org, Oct 6 2017

Labels: OS-Linux OS-Windows Pri-2
Owner: nparker@chromium.org
Status: Assigned (was: Unconfirmed)
So it looks like
  .v[d,s,t]x and .vs[d,s,t][x,m]
are similar in functionality to the orig
  .vs[d,s,t] that we currently ping on.

I'm not too concerned about the VB Macros, since that's already an issue for .docx etc, and we can start pinging for those only if we detect (via other means) that a significant number of them are indeed malicious.  This is a balance of privacy vs speed of protection.

I don't know why we ping on the old Visio format.

But... Ubuntu treating .vsdx as a zip (I repro'd this) is an issue since it allows any dangerous type to be cloaked in a .vsdx on Ubuntu.  So I think we should uncompress them as zips to look for bad files, and ping if there are any.

So my plan is to track all of these types, but not yet ping on them.

Comment 2 by bjornbjo...@gmail.com, Oct 7 2017 

i think the old Visio format get a ping, because the most likely program people use to open it is the free MS Visio Viewer[unless they own MS Visio], which uses IE to open the files.
Pretty much every file format that uses IE to open as default program gets a ping, e.g. .website, .url, .svg, .partial, .xrm-ms, .rels, .xls ..., even if IE is not the default browser.

.vs[d,s,t][x,m] are all treated as archives in Ubuntu.

Comment 3 by nparker@chromium.org, Oct 13 2017 

[After discussion offline w/ vakh@, we decided we should ping on all of these and unpack them as zips]

Comment 4 by nparker@chromium.org, Oct 13 2017

Labels: SafeBrowsing-Triaged
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 27 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8add59a69da35f2cc0c3585fa44cac696a3d003c

commit 8add59a69da35f2cc0c3585fa44cac696a3d003c
Author: Nathan Parker <nparker@chromium.org>
Date: Fri Oct 27 23:07:31 2017

Add a number of new download_file_types, and some enums we were missing.

Add btapp, btbtskin, btkey, btinstasll, btsearch,
    dhtml, dhtm, dht, shtml, shtm, sht, vdx, vsx,
    vtx, vsdx, vssx, vstx, vsdm, vssm, vstm.

Fix up enums that weren't correct before, an remove some platform_settings
that are set to the defaults anyway.

Bug:  771469 ,  767502 ,  762702 
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I4114c35e3f1a56a067f9b61bb54bfe3a8a801531
Reviewed-on: https://chromium-review.googlesource.com/736161
Commit-Queue: Nathan Parker <nparker@chromium.org>
Reviewed-by: Luke Z <lpz@chromium.org>
Reviewed-by: Varun Khaneja <vakh@chromium.org>
Reviewed-by: David Trainor <dtrainor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#512338}
[modify] https://crrev.com/8add59a69da35f2cc0c3585fa44cac696a3d003c/chrome/browser/resources/safe_browsing/download_file_types.asciipb
[modify] https://crrev.com/8add59a69da35f2cc0c3585fa44cac696a3d003c/content/browser/download/download_stats.cc
[modify] https://crrev.com/8add59a69da35f2cc0c3585fa44cac696a3d003c/tools/metrics/histograms/enums.xml

Comment 6 by nparker@chromium.org, Nov 1 2017

Status: Fixed (was: Assigned)
Pushed via component update.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 2 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 8 by sheriffbot@chromium.org, Feb 8 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment