Information Assurance |
Justin Kondos |
Information AssuranceBugtraq AnalysisUsing Blended Browser Threats involving Chrome to steal files on your computer. |
What the problem is:Google Chrome has an inbuilt file downloader, just like every other browser. However, unlike most browsers which show a save as dialog before downloading file attachments, Chrome automatically downloads a file from any site that is passed using the Content-Disposition header value “attachment” and doesn't have potentially malicious file extensions such as .exe, .htm, .jar, etc. The vulnerability arises from the fact that there are other extensions such as .svg, .mht, .mhtml that don’t exist in the Chrome’s malicious extension blacklist that can cause harm as well. If these downloaded files are clicked from the Chrome’s download bar or Windows Explorer, they will automatically be opened in other browsers and can be used to steal any file on the user’s computer. The reason for the name “Blended Browser Threats” is because here, Google Chrome is used as a vehicle for attack, whereas the real vulnerability executes inside other browsers such as IE6, Safari on your computer. Even while you might not be using IE6 or Safari, clicking a particular file on Chrome’s download bar can make it automatically open in IE6 or Safari thus leaving you vulnerable to attacks. What could have prevented it:Proper checking of file extensions and not allowing the automatic download of attachments could have prevent attacks such as these. What can be done to work around it:You can configure your Chrome browser to prompt you explicitly before downloading any file type. This can be done by going to Chrome Configuration Options -> Under the Hood -> Check the ‘Ask where to save each file before downloading‘ flag. What can be done to prevent future occurances:The Google Chrome Team fixed this vulnerability by appending these dangerous extensions such as .mht, .mhtml, .svg, etc to already existing extension blacklist. Also, configuring your browser to not auto download appended files. Follow the IEEE Definitions - IEEE defines standard floating point exceptions, and a good coder should account for all possible listed exceptions Notes:I chose this error because there have been several mobile phone vulnerabilities that could have been prevented with input checking. Especially on mobile phone where space and battery is severly limited, programmers try to cut code and processes. A similar error occurred in July: when user clicked on URL with char length greater than 4063 characters the LunaSysMgr crashed. Looks like a reboot, but the LunaSysMgr service is stopping and starting via segfault. Code execution during this time was possible which is a critical vulnerability: remotely and locally exploitable machine.Sources: |