Date: Mon, 26 Feb 2018 22:33:20 -0500
From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Download Protection Bypass in Google’s Chrome (multiple)

[Blog post here:
https://wwws.nightwatchcybersecurity.com/2018/02/26/multiple-instances-of-download-protection-bypass-in-googles-chrome/]

SUMMARY

We have found several instances of files bypassing the download
protection offered by Google’s Chrome browser. All of these have been
reported to the vendor, and whichever were accepted by the vendor were
fixed in Chrome M51 and M52.

BACKGROUND

The Chrome and Chromium browsers are an open-source based web browser
offered by Google. Among it’s features it includes a safety feature
that detects unsafe downloads to protect the user. This feature works
in multiple ways but is controlled via a file in Chrome’s source code
(“download_file_types.asciipb”) which defines several options based on
what the file extension of the downloaded files are:
- Platform/OS
- What kind of warning to show the user
- Whether this file type is an archive
- Whether the file can be opened automatically by clicking on it in
the download area
- Whether a ping get sent back to Google for every download of this
type (FULL), some downloads (SAMPLED) or not sent at all. This
checksum check is used to check against a server-side blacklist of
known bad files.

The Chrome Rewards bug bounty program includes a separate section
covering download bypass that was added in March of 2016. To be
eligible, it needs to be on a supported platform (MacOS or Windows),
be dangerous by being clicked and not send a full ping back to Google.
In December of 2016, the scope of this was changed to only include
file extensions already in the source code for Chrome.

As part of our testing in scope of this program, we tested all file
extensions that are included in a default on MacOS v10.11 (El Capitan)
 and Windows 2012 R2 / 7 Enterprise. This advisory lists all of the
bypasses that we located, reported to the vendor, and the status of
whether they were accepted and fixed, or rejected. Most of these were
reported prior to the scope change in December 2016, and included
patches whenever feasible.

DETAILS

The following extensions were reported but were rejected as being out
of scope and were not fixed:
- ChromeOS: APK
- Linux: AFM, PFA, TIF
- MacOS: APP, CONFIGPROFILE, DFONT, ICC, INTERNETCONNECT,
MOBILECONFIG, NETWORKCONNECT, OTF, PREFPANE, PROVISIONPROFILE, QTZ,
SAFARIEXTZ, SAVER, TTF, WEBBOOKMARK, WEBLOC
- Windows: CAMP, CDMP, DESKTHEMEPACK, DIAGCAB, DIAGPKG, GMMP, ICC,
IMESX, MOV, MSU, OTF, PFB, PFM, PRF, RAT, QDS, QT, RDP, SEARCH-MS,
THEMEPACK, THEMES, TTC, TTF, WCX

The following extensions were reported, confirmed to be dangerous and
fixed, all on MacOS (the underlying issue has been described in a
separate post).
- AS, CDR, CPGZ, DART, DC42, DISKCOPY42, DMGPART, DVDR, IMG, IMGPART,
ISO, MPKG, NDIF, PAX, SMI, SPARSEBUNDLE, SPARSEIMAGE, TOAST, UDIF, XIP

These issues were fixed in Chrome M51 and M52.

REFERENCES

- Chrome Bug Reports (rejected): 671382, 671385, 624224, 596342,
605386, 601255, 601250, 600910, 600615, 600609, 600606, 600601,
600597, 600592, 600590, 600587, 600581, 599880
- Chrome Bug Reports (fixed): 596354, 600613, 600907, 600908

BOUNTY INFORMATION

The issues that were fixed qualified for the Chrome Rewards security
bounty program and a bounty has been paid.

CREDITS

Advisory written by Yakov Shafranovich.

TIMELINE SUMMARY

2016-03-20: First report submitted
2016-03 to 2016-12: multiple other reports submitted, and fixed applied
2016-12-06: Last report submitted
2018-02-26: Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists