[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome
From: Haifei Li <haifei-non-reply@xxxxxxxxxxx>
Date: Fri, 2 Oct 2015 23:43:08 +0000






This is a copied version of my blog post, original version 
http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html.Probably
 it's commonly known that when you try to download something on your modern 
browser e.g. Google Chrome or Microsoft Edge, the file will be downloaded 
automatically to your local system with just a simple clicking - no need for 
additional confirmations. With default settings, the file will be downloaded to 
your "Downloads" folder ("C:\Users\<username>\Downloads").
Personally, I have worried about this feature quite some times, now I finally 
got some time on highlighting this. (Please tell me if there's someone already 
talked about this, I quickly googled around and wasn’t able to find an 
appropriate one, I think it should be known by many ppl).

The "auto-download" feature is good from “user experience” perspective, but 
obviously it's not good for security, as the downloading could also be started 
by Javascript (<iframe src="url">). The attacker may just place a malicious DLL 
with a specific name into the "Downloads" folder when the victim visits a 
webpage he/she controls. In future, when the victim tries to download/install 
good programs (executables) from legitimate websites - of course, the good 
executable will be downloaded, and will be launched from the "Downloads" folder 
as well - then the installation/execution progress could be hijacked.

This is because that in the real world, most executables replying dlls. Anyway, 
the "application directory" is the very first place in the search order when 
searching/loading for a dll (yoy may want to check this paper I released years 
ago). So, probably, most of dlls even the system dlls could be hijacked when 
you place a same-named dll in the executable’s directory, and that's not for 
the situation that the searching dll is not in anywhere of your system.

Usually, the "Downloads" folder is a place with massive downloaded files, so 
the victim probably never get a change to realize there is a malicious DLL 
sitting in his/her "Downloads" folder. I’d also doubt that even a normal user 
notices a strange dll in his/her "Downloads" folder, does he/she will really 
delete it immediately? DLLs won’t be executed by themselves anyway, right?

Anyway, in the real world, for most people, who really check their "Downloads" 
folder every time when they try to install something from internet? Instead, 
most people just click the "Run" button directly when installing something (see 
following figure).




I have quickly made a video showing this risk. The test environment is Windows 
10 Pro, with Microsoft Edge and Google Chrome, fully updated as of Oct 2nd, 
2015, all with default settings. Check it out here.


As you may have noted, a modified “VERSION.DLL” will be dropped into the 
“Downloads” folder when visiting the webpage 
https://dl.dropboxusercontent.com/u/14747595/auto_download_test/test.html. 
Then, when the user tries to install Adobe Reader from the official adobe.com 
website, the installation process of Adobe Reader will be hijacked - the 
modified “VERSION.DLL” will be loaded and my shellcode will be executed.

There’s one small thing, the code execution should be run out of the browser 
sandbox, but unluckily the tested shellcode I copied from internet runs 
calc.exe, and because there’s no calc.exe anymore on Windows 10, what you’ve 
seen it’s just a Calculator App which runs within the App Container sandbox. 
Other shellcode, for example, running notepad.exe, will be run out of the App 
Container sandbox and give the attacker control of your system. 
#BringTheLovelyCalcBackMicrosoft!

Also note that with default setting, the Microsoft Edge will promote a warning 
dialog saying the DLL is dangerous, offering the user an option to delete the 
file.




But:
1) Anyway, the DLL has been already dropped into the "Downloads" folder, if the 
user chooses not to delete the file or just do nothing, future execution will 
still be hijacked.2) I also guess this Microsoft Edge warning could be bypassed 
if the DLL is a signed DLL, but I don't have a certificate to test.
On Google Chrome, as you have seen, there's no warning at all.
Thanks,Haifei

                                          

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome
  - From: Lee
- Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome
  - From: Stefan Kanthak
- Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome
  - From: lists

Prev by Date: [FD] ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal
Next by Date: [FD] Qualys Security Advisory - OpenSMTPD Audit Report
Previous by thread: [FD] ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal
Next by thread: Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome
Index(es):
- Date
- Thread