New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 851528 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 15
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug


Participants' hotlists:
Hotlist-1


Sign in to add a comment

Security: SettingContent-ms extension bypasses 'dangerous file' prompt leading to WebExt RCE

Reported by greencar...@hotmail.com, Jun 11

Issue description


VULNERABILITY DETAILS
SettingContent-ms is a new windows 10 extension that can be used to execute arbitrary local files with parameters.

VERSION
Chrome Version: latest stable
Operating System: windows 10

REPRODUCTION CASE
Download attached SettingContent-ms file, or install attached extension for RCE.

Please CC enigma0x3@gmail.com, he found the file and wrote about it an hour ago and I just so happen stumbled upon it and connected the dots.



 
download.openRCE.rar
1.4 KB Download
test.SettingContent-ms
749 bytes Download
P.S. this bypasses Mark of web, despite there being a alternative data stream clearly marking the file as coming from internet, it still does not display any warning prior to execution.
Cc: asanka@chromium.org enigma...@gmail.com jialiul@chromium.org
Components: UI>Browser>Downloads Services>Safebrowsing
Labels: M-68 Security_Impact-Beta Security_Severity-Low OS-Windows Pri-2
Owner: vakh@chromium.org
Status: Assigned (was: Unconfirmed)
I'm sure you can get arbitrary code execution with just the stuff that's installed by default on Windows. So, definitely want this on the dangerous list. Thanks for the report! vakh, you want this one?
Status: Started (was: Assigned)
This looks like the original report: https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

Thanks for reporting it to us!
Project Member

Comment 5 by bugdroid1@chromium.org, Jun 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2825a8e860b1d2f14d187be5fdf6b8e1f479e81d

commit 2825a8e860b1d2f14d187be5fdf6b8e1f479e81d
Author: Varun Khaneja <vakh@chromium.org>
Date: Tue Jun 12 05:32:44 2018

Send pings when users download .settingcontent-ms files

Bug:  851528 
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I950fe0b3241d1cff134957929f76eb3f1fb8b483
Reviewed-on: https://chromium-review.googlesource.com/1096342
Commit-Queue: Varun Khaneja <vakh@chromium.org>
Reviewed-by: David Trainor <dtrainor@chromium.org>
Reviewed-by: Jialiu Lin <jialiul@chromium.org>
Cr-Commit-Position: refs/heads/master@{#566328}
[modify] https://crrev.com/2825a8e860b1d2f14d187be5fdf6b8e1f479e81d/chrome/browser/resources/safe_browsing/download_file_types.asciipb
[modify] https://crrev.com/2825a8e860b1d2f14d187be5fdf6b8e1f479e81d/components/download/internal/common/download_stats.cc
[modify] https://crrev.com/2825a8e860b1d2f14d187be5fdf6b8e1f479e81d/tools/metrics/histograms/enums.xml

 Issue 851860  has been merged into this issue.
 Issue 851801  has been merged into this issue.
Status: Fixed (was: Started)
Project Member

Comment 9 by sheriffbot@chromium.org, Jun 16

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Components: -Services>Safebrowsing Services>Safebrowsing>VRP
Labels: -Type-Bug-Security Type-Bug
Labels: reward-0
Labels: -reward-topanel
Project Member

Comment 14 by sheriffbot@chromium.org, Sep 22

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment