[Blog post here: https://wwws.nightwatchcybersecurity.com/2018/02/26/multiple-instances-of-download-protection-bypass-in-googles-chrome/]
SUMMARY We have found several instances of files bypassing the download protection offered by Google’s Chrome browser. All of these have been reported to the vendor, and whichever were accepted by the vendor were fixed in Chrome M51 and M52. BACKGROUND The Chrome and Chromium browsers are an open-source based web browser offered by Google. Among it’s features it includes a safety feature that detects unsafe downloads to protect the user. This feature works in multiple ways but is controlled via a file in Chrome’s source code (“download_file_types.asciipb”) which defines several options based on what the file extension of the downloaded files are: - Platform/OS - What kind of warning to show the user - Whether this file type is an archive - Whether the file can be opened automatically by clicking on it in the download area - Whether a ping get sent back to Google for every download of this type (FULL), some downloads (SAMPLED) or not sent at all. This checksum check is used to check against a server-side blacklist of known bad files. The Chrome Rewards bug bounty program includes a separate section covering download bypass that was added in March of 2016. To be eligible, it needs to be on a supported platform (MacOS or Windows), be dangerous by being clicked and not send a full ping back to Google. In December of 2016, the scope of this was changed to only include file extensions already in the source code for Chrome. As part of our testing in scope of this program, we tested all file extensions that are included in a default on MacOS v10.11 (El Capitan) and Windows 2012 R2 / 7 Enterprise. This advisory lists all of the bypasses that we located, reported to the vendor, and the status of whether they were accepted and fixed, or rejected. Most of these were reported prior to the scope change in December 2016, and included patches whenever feasible. DETAILS The following extensions were reported but were rejected as being out of scope and were not fixed: - ChromeOS: APK - Linux: AFM, PFA, TIF - MacOS: APP, CONFIGPROFILE, DFONT, ICC, INTERNETCONNECT, MOBILECONFIG, NETWORKCONNECT, OTF, PREFPANE, PROVISIONPROFILE, QTZ, SAFARIEXTZ, SAVER, TTF, WEBBOOKMARK, WEBLOC - Windows: CAMP, CDMP, DESKTHEMEPACK, DIAGCAB, DIAGPKG, GMMP, ICC, IMESX, MOV, MSU, OTF, PFB, PFM, PRF, RAT, QDS, QT, RDP, SEARCH-MS, THEMEPACK, THEMES, TTC, TTF, WCX The following extensions were reported, confirmed to be dangerous and fixed, all on MacOS (the underlying issue has been described in a separate post). - AS, CDR, CPGZ, DART, DC42, DISKCOPY42, DMGPART, DVDR, IMG, IMGPART, ISO, MPKG, NDIF, PAX, SMI, SPARSEBUNDLE, SPARSEIMAGE, TOAST, UDIF, XIP These issues were fixed in Chrome M51 and M52. REFERENCES - Chrome Bug Reports (rejected): 671382, 671385, 624224, 596342, 605386, 601255, 601250, 600910, 600615, 600609, 600606, 600601, 600597, 600592, 600590, 600587, 600581, 599880 - Chrome Bug Reports (fixed): 596354, 600613, 600907, 600908 BOUNTY INFORMATION The issues that were fixed qualified for the Chrome Rewards security bounty program and a bounty has been paid. CREDITS Advisory written by Yakov Shafranovich. TIMELINE SUMMARY 2016-03-20: First report submitted 2016-03 to 2016-12: multiple other reports submitted, and fixed applied 2016-12-06: Last report submitted 2018-02-26: Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/