Re: Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

[<lists () acrossecurity com>]

Hi Haifei,

FYI, something similar was presented in 2012:

http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html

Thanks,
Mitja 

> -----Original Message-----
> From: Fulldisclosure [mailto:fulldisclosure-bounces () seclists org] On
Behalf Of
> Haifei Li
> Sent: Saturday, October 03, 2015 1:43 AM
> To: fulldisclosure () seclists org
> Subject: [FD] Watch your Downloads: the risk of the "auto-download"
feature
> on Microsoft Edge and Google Chrome
>
>
>
>
>
>
>
> This is a copied version of my blog post, original version
> http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-
> auto.html.Probably it's commonly known that when you try to download
> something on your modern browser e.g. Google Chrome or Microsoft Edge, the
> file will be downloaded automatically to your local system with just a
simple
> clicking - no need for additional confirmations. With default settings,
the file will
> be downloaded to your "Downloads" folder
> ("C:\Users\<username>\Downloads").
> Personally, I have worried about this feature quite some times, now I
finally got
> some time on highlighting this. (Please tell me if there's someone already
talked
> about this, I quickly googled around and wasn't able to find an
appropriate one,
> I think it should be known by many ppl).
>
> The "auto-download" feature is good from "user experience" perspective,
but
> obviously it's not good for security, as the downloading could also be
started by
> Javascript (<iframe src="url">). The attacker may just place a malicious
DLL with
> a specific name into the "Downloads" folder when the victim visits a
webpage
> he/she controls. In future, when the victim tries to download/install good
> programs (executables) from legitimate websites - of course, the good
> executable will be downloaded, and will be launched from the "Downloads"
> folder as well - then the installation/execution progress could be
hijacked.
> This is because that in the real world, most executables replying dlls.
Anyway,
> the "application directory" is the very first place in the search order
when
> searching/loading for a dll (yoy may want to check this paper I released
years
> ago). So, probably, most of dlls even the system dlls could be hijacked
when you
> place a same-named dll in the executable's directory, and that's not for
the
> situation that the searching dll is not in anywhere of your system.
>
> Usually, the "Downloads" folder is a place with massive downloaded files,
so the
> victim probably never get a change to realize there is a malicious DLL
sitting in
> his/her "Downloads" folder. I'd also doubt that even a normal user notices
a
> strange dll in his/her "Downloads" folder, does he/she will really delete
it
> immediately? DLLs won't be executed by themselves anyway, right?
>
> Anyway, in the real world, for most people, who really check their
"Downloads"
> folder every time when they try to install something from internet?
Instead,
> most people just click the "Run" button directly when installing something
(see
> following figure).
>
>
>
>
> I have quickly made a video showing this risk. The test environment is
Windows
> 10 Pro, with Microsoft Edge and Google Chrome, fully updated as of Oct
2nd,
> 2015, all with default settings. Check it out here.
>
>
> As you may have noted, a modified "VERSION.DLL" will be dropped into the
> "Downloads" folder when visiting the webpage
> https://dl.dropboxusercontent.com/u/14747595/auto_download_test/test.html
> . Then, when the user tries to install Adobe Reader from the official
adobe.com
> website, the installation process of Adobe Reader will be hijacked - the
modified
> "VERSION.DLL" will be loaded and my shellcode will be executed.
>
> There's one small thing, the code execution should be run out of the
browser
> sandbox, but unluckily the tested shellcode I copied from internet runs
calc.exe,
> and because there's no calc.exe anymore on Windows 10, what you've seen
it's
> just a Calculator App which runs within the App Container sandbox. Other
> shellcode, for example, running notepad.exe, will be run out of the App
> Container sandbox and give the attacker control of your system.
> #BringTheLovelyCalcBackMicrosoft!
>
> Also note that with default setting, the Microsoft Edge will promote a
warning
> dialog saying the DLL is dangerous, offering the user an option to delete
the file.
> But:
> 1) Anyway, the DLL has been already dropped into the "Downloads" folder,
if the
> user chooses not to delete the file or just do nothing, future execution
will still
> be hijacked.2) I also guess this Microsoft Edge warning could be bypassed
if the
> DLL is a signed DLL, but I don't have a certificate to test.
> On Google Chrome, as you have seen, there's no warning at all.
> Thanks,Haifei
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/