2015年10月2日星期五

Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

Probably it's commonly known that when you try to download something on your modern browser e.g. Google Chrome or Microsoft Edge, the file will be downloaded automatically to your local system with just a simple clicking - no need for additional confirmations. With default settings, the file will be downloaded to your "Downloads" folder ("C:\Users\<username>\Downloads").

Personally, I have worried about this feature quite some times, now I finally got some time on highlighting the risk for the public. (Please tell me if there's someone already talked about this, I quickly googled around and wasn’t able to find an appropriate one, I think it should be known by many ppl).

The "auto-download" feature is good from “user experience” perspective, but obviously it's not good for security, as the downloading could also be started by Javascript (<iframe src="url">). The attacker may just place a malicious DLL with a specific name into the "Downloads" folder when the victim visits a webpage he/she controls. In future, when the victim tries to download/install good programs (executables) from legitimate websites - of course, the good executable will be downloaded, and will be launched from the "Downloads" folder as well - then the installation/execution progress could be hijacked.

This is because that in the real world, most executables rely on dlls. The "application directory" is the very first place in the search order when searching/loading for a dll (you may want to check this paper I released years ago). So, probably, most of dlls even the system dlls could be hijacked when you place a same-named dll in the executable’s directory, and that's not for the situation that the searched dll doesn't exist anywhere on the system.

Usually, the "Downloads" folder is a place with massive downloaded files, so the victim probably never get a change to realize there is a malicious DLL sitting in his/her "Downloads" folder. I’d also doubt that even if a normal user notices a strange dll sitting in his/her "Downloads" folder, will he/she really delete it immediately? People may think that DLLs won’t be executed by themselves anyway, right?

Anyway, in the real world, for most people, who really check their "Downloads" folder every time when they try to install something from internet? Instead, most people just click the "Run" button directly when installing something (see following figure).



I have quickly made a video showing this risk. The test environment is Windows 10 Pro, with Microsoft Edge and Google Chrome, fully updated as of Oct 2nd, 2015, all with default settings. Check it out here.



As you may have noted, a modified “VERSION.DLL” will be dropped into the “Downloads” folder when visiting the webpage https://dl.dropboxusercontent.com/u/14747595/auto_download_test/test.html. Then, when the user tries to install Adobe Reader from the official adobe.com website, the installation process of Adobe Reader will be hijacked - the modified “VERSION.DLL” will be loaded and my shellcode will be executed.

There’s one small thing, the code execution should be run out of the browser sandbox, but unluckily the tested shellcode I copied from internet runs calc.exe, and because there’s no calc.exe anymore on Windows 10, what you’ve seen it’s just a Calculator App which runs within the App Container sandbox. Other shellcode, for example, running notepad.exe, will be run out of the App Container sandbox and give attacker the control of your system. #BringTheLovelyCalcBackMicrosoft!

Also note that with default setting, the Microsoft Edge will promote a warning dialog saying the DLL is dangerous, offering the user an option to delete the file.



But:

1) Anyway, the DLL has been already dropped into the "Downloads" folder, if the user chooses not to delete the file or just do nothing, future execution will still be hijacked.
2) I also guess this Microsoft Edge warning could be bypassed if the DLL is a signed DLL, but I don't have a certificate to test.

On Google Chrome, as you have seen, there's no warning at all.

[Updated on Oct 3rd, 2015 for Mitigations]
There's actually an option on Google Chrome (Settings => Show advanced settings => Ask where to save each file before downloading). As the name suggests, if you enable this, you will have a chance to check before every downloading. If you see some website asking you to download especially a DLL, you'd better DON'T ALLOW.

I haven't figured out a way for similar mitigation on Microsoft Edge, have pinged Microsoft, will updated if I find any.

Also please note that just changing the default "Downloads" folder to other folder does NOT mitigate this risk.

Thanks,
Haifei

20 条评论:

  1. Nice! I really enjoyed reading your post. Thanks for sharing and keep up the good work.

    Dell Notebook repairs & HP Laptop repairs



    回复删除
  2. Just call on Adobe Support (Toll Free +1-877-339-8403) For Adobe Flash Player Update, install, Download Or other technical issue. Get Online Technical Help by Our Experts.

    回复删除
  3. Call +1-877-339-8403 Adobe Support Phone number and Get Online Technical solution for Your All Adobe Products and Versions like Adobe Flash Player, Acrobat, Light Room, Illustrator etc.

    回复删除
  4. Hello! Very good article! You're a great expert! I am currently working on advertising management system for innovative advertising agencies.

    回复删除
  5. Adobe Flash Player Support Avails Customer Care Support Phone Number at 1-877-339-8403 and get Adobe Flash Player Technical Support Helpline Number for any issue.

    回复删除
  6. Contemporary watches with sophisticated simplicity. Here are options for watch, fashion watch, minimalist watch, sleek watch, men's watches, ladies' watch, cheap watch, CA, nice watch and dress watch.

    回复删除
  7. Nice information...you blog...
    Today, mostly people need Microsoft technical support to troubleshoot their Windows operating system problems. Because, most of people use Microsoft™ windows® product. Dial 1-800-723-4210 at windows tech support for Microsoft windows 10 support from online technical experts by 24/7


    Microsoft Tech Support

    回复删除
  8. Microsoft Windows XP Support, Microsoft Windows Vista Support, Microsoft Windows
    7 Support, Microsoft Windows 8 Support, Microsoft Windows 8.1 Support, Microsoft Windows 10 Support
    Microsoft Windows customer care

    回复删除
  9. I just got a product key from www.vanskeys.com. it worked perfectly. I'm so excited to share my experience here. their customer service is 1st class and I will definitely be recommending the site and I will be using the site again.

    回复删除
  10. Its very useful post for me, and hope this will be helpful for people in future. Thanks for share this. Get help for Dell Printer
    Dell Printer Support Number UK
    Dell Printer Contact Number UK

    回复删除
  11. Thank a lot for this post that was very interesting. Keep posting like those amazing posts, this is really awesome
    massive vst crack windows
    7RwCrack

    回复删除
  12. Accomplishing your daily works with the help of Adobe Application on your computer, but technical issue are still found in during its use, so you must talk to the technical experts at 0800-090-3220 to get an accurate solution. Adobe Helpline Number UK

    回复删除
  13. Thanks for sharing nice information with us. Call us at 0800-368-6133 Kaspersky Support Number UK and Kaspersky Helpline Number UK get quick and satisfied solution.

    回复删除
  14. Office 2016 Product Key

    In order to activate your Windows 10 key, you just need to get a product key from the site http://www.MsKeyHome.com/ . It's the legal copy and you will experience a good after-sale service. The site not only provides product key for Windows 10 key, but also windows 8 and so on. If you have any technical problem, you also can contact the service department online. Don't worry. Any such problem, just contact them and you will get support.

    Office 2016 Product Key

    回复删除
  15. Amazing, Such a very useful blog. Here we provide superb quality antivirus service. When technical issues occurred on Norton antivirus, no need to take tension and contact with expert technicians they will help you in resolving all sorts of technical issues. Dial 0808-238-7544 Norton Support Number UK and get instant help.

    回复删除
  16. Nice post I really like it. Call us at Adobe Help Number UK and Adobe Support Number UK to get quick and satisfy solution.

    回复删除