potentially malicious files are downloaded without asking

RESOLVED DUPLICATE of bug 1239094

Status

()

defect
--
critical
RESOLVED DUPLICATE of bug 1239094
2 years ago
2 years ago

People

(Reporter: narendrathehacker, Unassigned)

Tracking

unspecified
All
Android
Points:
---

Firefox Tracking Flags

(fennec+)

Details

Attachments

(2 attachments)

572 bytes, application/x-php
Details
6.74 MB, video/mp4
Details
Reporter

Description

2 years ago
Posted file rip.php
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170201174907

Steps to reproduce:

Hi
Mozilla Team

I got a serious issue on mozila 51.0.3 stable and newer version also (Not check beta and others because i am not your official beta tester

Any malicious android app (apk file) can be downloaded on any device without user interaction

mozilla Version: my Current exploit working version 51.0.3 
Operating System: Android 

Steps to reproduce
Host the attached rip.php on a working php server 
Put your malicious app APk file in the same directory renamed as facebook.apk
now when the victim vists the site 
malicious file will be downloaded as out.apk
or you can set any name from out.apk to anything in the "rip.php" file

You will see the file is getting download without any user interaction


Impact :-
This attack can used to spread malicious payloads and infected binaries
Any malicous android app apk file can be forced to download 

that apk can cause malicious functions



Actual results:

Mozila browser is forced to download tha file 
this requires interaction from user
Apk File gets start downloading without any prompting/warning to user




Expected results:

When downloading any file the user should get a prompt/warning before downloading any thing from the web.
Reporter

Updated

2 years ago
Severity: normal → critical
OS: Unspecified → Android
Reporter

Comment 1

2 years ago
(In reply to narendrathehacker from comment #0)
> Created attachment 8839890 [details]
> rip.php
> 
> User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101
> Firefox/51.0
> Build ID: 20170201174907
> 
> 
> Hi
> Mozilla Team
> 
> I got a serious issue on mozila 51.0.3 stable and newer version also (Not
> check beta and others because i am not your official beta tester
> 
> Any malicious android app (apk file) can be downloaded on any device without
> user interaction
> 
> mozilla Version: my Current exploit working version 51.0.3 
> Operating System: Android 
> 
> Steps to reproduce
> Host the attached rip.php on a working php server 
> Put your malicious app APk file in the same directory renamed as facebook.apk
> now when the victim vists the site 
> malicious file will be downloaded as out.apk
> or you can set any name from out.apk to anything in the "rip.php" file
> 
> You will see the file is getting download without any user interaction
> 
> 
> Impact :-
> This attack can used to spread malicious payloads and infected binaries
> Any malicous android app apk file can be forced to download 
> 
> that apk can cause malicious functions
> 
> 
> 
> Actual results:
> 
> Mozila browser is forced to download that malicious file 
> this requires no interaction from user
> Apk File gets start downloading without any prompting/warning to user
> 
> 
> 
> 
> Expected results:
> 
> When downloading any file the user should get a prompt/warning before
> downloading any thing from the web.
Flags: needinfo?(s.kaspari)
We will download the file, but should not launch it without user interaction. see bug 690252
Reporter

Comment 3

2 years ago
I reported this issue for demonstrating "How I Can Download files witohout interaction via Mozilla Android"

Any malicious apk or file can be downloaded without prompting to user and no interaction required from user like click or tap or save or download button.
 
This demonstration shows How any apk or executable binary file can be downloaded forcefully to any android phone(Downloaded Directly to "Downloads" directory of android phone)


Thanks For reply
Thanks for the reply 
Looking for further assistance if doubt or query occured on this report
I am not disputing your claim. The bug I mentioned in comment 2 created this behavior. Thus it is highly relevant.
(In reply to narendrathehacker from comment #0)
> When downloading any file the user should get a prompt/warning before
> downloading any thing from the web.

On desktop we start downloading right away to save the user time while we ask them whether they want it saved or not. If they don't we stop the download and delete the file. This seems like a fair trade-off on a high-bandwidth desktop, but might be a terrible idea for a bandwidth-constrained mobile device. (then again, a malicious browser page can suck your bandwidth in the background without you noticing as long as they can keep you interested in that page.)

There are usability vs spoofability tradeoffs here.

Kevin: is the browser.helperApps.neverAsk.saveToDisk pref still used? On my Fennec it's an empty string which I thought meant (per bug 690252) I should get asked for everything before actually saving the file. Unless the user has previously said "don't ask for this type any more".

This is known behavior so we don't need to hide it while we think about whether the defaults are still appropriate.
Group: firefox-core-security
Flags: needinfo?(kbrosnan)
Summary: Download bypass → potentially malicious files are downloaded without asking
Reporter

Comment 6

2 years ago
Any updates on this ??
Reporter

Updated

2 years ago
Hardware: Unspecified → All
I don't know. Sebastian is the best person to look at this. He is traveling last I knew.
Flags: needinfo?(kbrosnan)
Just to clarify: Are the headers you explicitly set in your test case important? I saw that you set Content-Type and Content-Disposition twice. Is this triggering any behavior that is different to the normal download behavior?
tracking-fennec: --- → ?
Flags: needinfo?(s.kaspari)
Reporter

Comment 9

2 years ago
Yes these two headers(Content-Type and Content-Disposition) are responsible for this producing this bug/issue

they confuses the browser 

This attack is something like HPP(HTTP Paraameter Pollution) 
I like to call it as HTTP Header Pollution Attack (HHP)

I think mozilla browser is confused between two "Content-Disposition" headers
First one is 
          Content-Disposition: attachment; filename=out.pdf
which is used for pdf files , browser thinks the file is a PDF format file 

But due to second header
          Content-Disposition: attachment; filename=out.apk
which is used for APk format file this header forces the browser to download/use it as out.apk

In this scenerio the browser thinks the served file from server is a PDF file so it allows downloading of content.(Browser allowed PDF files to be downloaded without any restriction/prompt/warning)And it allows the file.  
But actually the served file from server is an APk file on this time the browser allows it like a PDF file. So the file gets downloaded without any restriction.
Reporter

Comment 10

2 years ago
Update : Only one "Content-Disposition: attachment" header is enough to reproduce this issue/bug
Reporter

Comment 11

2 years ago
<?php
$file = 'facebook.apk';
header('Content-Type: application/octet-stream');
header('Content-Description: File Transfer');
header('Content-Disposition: inline; filename=facebook.apk');
header('Connection: Keep-Alive');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit();
?>
Reporter

Comment 12

2 years ago
Are you able to reproduce ??
Reporter

Comment 13

2 years ago
Please confirm or traige it.

Comment 14

2 years ago
I can reproduce.  I turned on browser.safebrowsing.downloads.enabled to true (just in case)
then went and downloaded an EICAR test file
https://en.wikipedia.org/wiki/EICAR_test_file
http://www.eicar.org/85-0-Download.html

It's just a tiny test file that contains a certain string of characters.  All major antivirus programs out there will detect EICAR test files as malicious simply to prove they work.
I don't see a security issue here, as downloading a file to the disk should not cause any problems directly. I suppose there could be secondary effects is something is scanning downloaded files in the background.

We could revisit whether we want automatic downloads to happen.
Status: UNCONFIRMED → RESOLVED
tracking-fennec: ? → +
Closed: 2 years ago
Flags: needinfo?(timdream)
Resolution: --- → WONTFIX
Reporter

Comment 16

2 years ago
This is an android issue not a desktop browser issue
Files can be downloaded without any interaction from users to the storage of device
This is an issue of safe browsing
I am not sure why I was ni'd.

A lot of browsers (especially desktop) download stuff w/o asking and only prompt the user when the user wants to run it. We can revisit the design if we really want to.
Flags: needinfo?(timdream)
Reporter

Updated

2 years ago
Status: RESOLVED → UNCONFIRMED
Resolution: WONTFIX → ---
Reporter

Comment 18

2 years ago
You can see a warning before downloading any file like  this file may harm your device in chrome,opera and other browsers
Reporter

Comment 19

2 years ago
Posted video firefoxpoc.mp4
video poc
Reporter

Comment 20

2 years ago
you made this report public 
are you serious about security of firefox users ??
This behavior is easily discoverable it does not require any specific code and requires a non-trival amount of user interaction to install the apk. By default Android devices are set not to accept apk files from outside Google Play.
Reporter

Comment 22

2 years ago
not only apk any file can be downloaded without users interaction no matter how much size and impact(malicious)
Is this behavior observed on Chrome and other browsers?
Agree with comment 21 that the Android system protects the users from unknown sources (by default unknown sources will be rejected) so unless the download files can harm the user's device just by downloading it, most regular users are protected by the system already.
(In reply to giveitatry from comment #18)
> You can see a warning before downloading any file like  this file may harm
> your device in chrome,opera and other browsers

FYI: This is bug 936041 and was disabled in bug 1241566 (until bug 1239094 is fixed).
Reporter

Comment 25

2 years ago
(In reply to Joe Cheng [:jcheng] (please needinfo) from comment #23)
> Is this behavior observed on Chrome and other browsers?
> Agree with comment 21 that the Android system protects the users from
> unknown sources (by default unknown sources will be rejected) so unless the
> download files can harm the user's device just by downloading it, most
> regular users are protected by the system already.

Yes im able to bypass download protection on chrome
Reporter

Comment 26

2 years ago
Any doubts on this ??
You are able to install an APK outside the Play Store on a phone with Android's security setting "unknown sources" set to off? 

Bypassing the malicious download warning on Google Chrome is not interesting. It provides a way for people to get at incorrectly blocked files.
Reporter

Comment 28

2 years ago
suppose you stored a apk file from a legitimate source downloaded to downloads directory 
But if attacker saves malicious apk of the same app you downloaded before with another name in that directory
Mostly peoples does'nt remember about their app package name so they just check the icon shown in file manager
and installed them  

Thats why google gives a scope in their vrp bounty program
Reporter

Comment 29

2 years ago
Is it enough ???
I wonder how much does a prompt warning help to avoid such risk.
Prompt or not is more of a UX issue rather than security one, IMO.

Bug 1239094 together with Bug 936041 should help.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1239094
Reporter

Comment 31

2 years ago
This should not be closed as duplicate that earlier reported issue is explaining how a warning should be shown while downloading malicious 

But I reported that the apk or any file can be downloaded without any interaction on user android device

Have a look on my video poc what im demonstrating before closing as duplicate (which is not resolved)
and what you are understanding
think from a attaker's view
Reporter

Comment 32

2 years ago
(In reply to Wesley Huang [:wesley_huang] (EPM) (NI me) from comment #30)
> I wonder how much does a prompt warning help to avoid such risk.
> Prompt or not is more of a UX issue rather than security one, IMO.
> 
> Bug 1239094 together with Bug 936041 should help.

This should not be closed as duplicate that earlier reported issue is explaining how a warning should be shown while downloading malicious 

But I reported that the apk or any file can be downloaded without any interaction on user android device

Have a look on my video poc what im demonstrating before closing as duplicate (which is not resolved)
and what you are understanding
think from a attaker's view
You need to log in before you can comment on or make changes to this bug.