Hi Haifei, FYI, something similar was presented in 2012:
http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html Thanks, Mitja > -----Original Message----- > From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of > Haifei Li > Sent: Saturday, October 03, 2015 1:43 AM > To: fulldisclosure@seclists.org > Subject: [FD] Watch your Downloads: the risk of the "auto-download" feature > on Microsoft Edge and Google Chrome > > > > > > > > This is a copied version of my blog post, original version > http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of- > auto.html.Probably it's commonly known that when you try to download > something on your modern browser e.g. Google Chrome or Microsoft Edge, the > file will be downloaded automatically to your local system with just a simple > clicking - no need for additional confirmations. With default settings, the file will > be downloaded to your "Downloads" folder > ("C:\Users\<username>\Downloads"). > Personally, I have worried about this feature quite some times, now I finally got > some time on highlighting this. (Please tell me if there's someone already talked > about this, I quickly googled around and wasn't able to find an appropriate one, > I think it should be known by many ppl). > > The "auto-download" feature is good from "user experience" perspective, but > obviously it's not good for security, as the downloading could also be started by > Javascript (<iframe src="url">). The attacker may just place a malicious DLL with > a specific name into the "Downloads" folder when the victim visits a webpage > he/she controls. In future, when the victim tries to download/install good > programs (executables) from legitimate websites - of course, the good > executable will be downloaded, and will be launched from the "Downloads" > folder as well - then the installation/execution progress could be hijacked. > > This is because that in the real world, most executables replying dlls. Anyway, > the "application directory" is the very first place in the search order when > searching/loading for a dll (yoy may want to check this paper I released years > ago). So, probably, most of dlls even the system dlls could be hijacked when you > place a same-named dll in the executable's directory, and that's not for the > situation that the searching dll is not in anywhere of your system. > > Usually, the "Downloads" folder is a place with massive downloaded files, so the > victim probably never get a change to realize there is a malicious DLL sitting in > his/her "Downloads" folder. I'd also doubt that even a normal user notices a > strange dll in his/her "Downloads" folder, does he/she will really delete it > immediately? DLLs won't be executed by themselves anyway, right? > > Anyway, in the real world, for most people, who really check their "Downloads" > folder every time when they try to install something from internet? Instead, > most people just click the "Run" button directly when installing something (see > following figure). > > > > > I have quickly made a video showing this risk. The test environment is Windows > 10 Pro, with Microsoft Edge and Google Chrome, fully updated as of Oct 2nd, > 2015, all with default settings. Check it out here. > > > As you may have noted, a modified "VERSION.DLL" will be dropped into the > "Downloads" folder when visiting the webpage > https://dl.dropboxusercontent.com/u/14747595/auto_download_test/test.html > . Then, when the user tries to install Adobe Reader from the official adobe.com > website, the installation process of Adobe Reader will be hijacked - the modified > "VERSION.DLL" will be loaded and my shellcode will be executed. > > There's one small thing, the code execution should be run out of the browser > sandbox, but unluckily the tested shellcode I copied from internet runs calc.exe, > and because there's no calc.exe anymore on Windows 10, what you've seen it's > just a Calculator App which runs within the App Container sandbox. Other > shellcode, for example, running notepad.exe, will be run out of the App > Container sandbox and give the attacker control of your system. > #BringTheLovelyCalcBackMicrosoft! > > Also note that with default setting, the Microsoft Edge will promote a warning > dialog saying the DLL is dangerous, offering the user an option to delete the file. > > > > > But: > 1) Anyway, the DLL has been already dropped into the "Downloads" folder, if the > user chooses not to delete the file or just do nothing, future execution will still > be hijacked.2) I also guess this Microsoft Edge warning could be bypassed if the > DLL is a signed DLL, but I don't have a certificate to test. > On Google Chrome, as you have seen, there's no warning at all. > Thanks,Haifei > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
