Re: Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

[Lee <curtlee2002 () gmail com>]

Haifei Li, changing the default behavior to open a window asking the
user where to save the file would change nothing.  A "normal user"
would just click the "save" button to save the file in the default
folder.  I also don't think it should be the browser's responsibility
to look for potential malicious DLLs in that directory.  This "normal
user" may not even use the browser to execute this executable file so
they never even see this warning.

If you really want to pursue this problem, I think the OS (MS Windows)
is where you should be looking for a solution.

MS Windows has an "Open File - Security Warning" window before
executing untrusted files.  Again, a "normal user" just clicks "Run"
on that window without reading the warning, but this could be expanded
to also warn about potential malicious DLLs.  Example Image:
http://i.imgur.com/3dxQJCB.png

As long as a "normal user" is given enough privileges to
destroy/infect/... their OS, they will continue to be careless.  You
will never be able to protect these people from themselves.

-Lee


On Fri, Oct 2, 2015 at 6:43 PM, Haifei Li <haifei-non-reply () outlook com> wrote:
> This is a copied version of my blog post, original version 
> http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html.Probably it's commonly known that when 
> you try to download something on your modern browser e.g. Google Chrome or Microsoft Edge, the file will be 
> downloaded automatically to your local system with just a simple clicking - no need for additional confirmations. 
> With default settings, the file will be downloaded to your "Downloads" folder ("C:\Users\<username>\Downloads").
> Personally, I have worried about this feature quite some times, now I finally got some time on highlighting this. 
> (Please tell me if there's someone already talked about this, I quickly googled around and wasn’t able to find an 
> appropriate one, I think it should be known by many ppl).
>
> The "auto-download" feature is good from “user experience” perspective, but obviously it's not good for security, as 
> the downloading could also be started by Javascript (<iframe src="url">). The attacker may just place a malicious DLL 
> with a specific name into the "Downloads" folder when the victim visits a webpage he/she controls. In future, when 
> the victim tries to download/install good programs (executables) from legitimate websites - of course, the good 
> executable will be downloaded, and will be launched from the "Downloads" folder as well - then the 
> installation/execution progress could be hijacked.
>
> This is because that in the real world, most executables replying dlls. Anyway, the "application directory" is the 
> very first place in the search order when searching/loading for a dll (yoy may want to check this paper I released 
> years ago). So, probably, most of dlls even the system dlls could be hijacked when you place a same-named dll in the 
> executable’s directory, and that's not for the situation that the searching dll is not in anywhere of your system.
>
> Usually, the "Downloads" folder is a place with massive downloaded files, so the victim probably never get a change 
> to realize there is a malicious DLL sitting in his/her "Downloads" folder. I’d also doubt that even a normal user 
> notices a strange dll in his/her "Downloads" folder, does he/she will really delete it immediately? DLLs won’t be 
> executed by themselves anyway, right?
>
> Anyway, in the real world, for most people, who really check their "Downloads" folder every time when they try to 
> install something from internet? Instead, most people just click the "Run" button directly when installing something 
> (see following figure).
>
>
>
>
> I have quickly made a video showing this risk. The test environment is Windows 10 Pro, with Microsoft Edge and Google 
> Chrome, fully updated as of Oct 2nd, 2015, all with default settings. Check it out here.
>
>
> As you may have noted, a modified “VERSION.DLL” will be dropped into the “Downloads” folder when visiting the webpage 
> https://dl.dropboxusercontent.com/u/14747595/auto_download_test/test.html. Then, when the user tries to install Adobe 
> Reader from the official adobe.com website, the installation process of Adobe Reader will be hijacked - the modified 
> “VERSION.DLL” will be loaded and my shellcode will be executed.
>
> There’s one small thing, the code execution should be run out of the browser sandbox, but unluckily the tested 
> shellcode I copied from internet runs calc.exe, and because there’s no calc.exe anymore on Windows 10, what you’ve 
> seen it’s just a Calculator App which runs within the App Container sandbox. Other shellcode, for example, running 
> notepad.exe, will be run out of the App Container sandbox and give the attacker control of your system. 
> #BringTheLovelyCalcBackMicrosoft!
>
> Also note that with default setting, the Microsoft Edge will promote a warning dialog saying the DLL is dangerous, 
> offering the user an option to delete the file.
>
>
>
>
> But:
> 1) Anyway, the DLL has been already dropped into the "Downloads" folder, if the user chooses not to delete the file 
> or just do nothing, future execution will still be hijacked.2) I also guess this Microsoft Edge warning could be 
> bypassed if the DLL is a signed DLL, but I don't have a certificate to test.
> On Google Chrome, as you have seen, there's no warning at all.
> Thanks,Haifei
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/