Closed
Bug 1341590
Opened 8 years ago
Closed 8 years ago
potentially malicious files are downloaded without asking
Categories
(Firefox for Android Graveyard :: Download Manager, defect)
Tracking
(fennec+)
RESOLVED
DUPLICATE
of bug 1239094
| Tracking | Status | |
|---|---|---|
| fennec | + | --- |
People
(Reporter: narendrathehacker, Unassigned)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170201174907
Steps to reproduce:
Hi
Mozilla Team
I got a serious issue on mozila 51.0.3 stable and newer version also (Not check beta and others because i am not your official beta tester
Any malicious android app (apk file) can be downloaded on any device without user interaction
mozilla Version: my Current exploit working version 51.0.3
Operating System: Android
Steps to reproduce
Host the attached rip.php on a working php server
Put your malicious app APk file in the same directory renamed as facebook.apk
now when the victim vists the site
malicious file will be downloaded as out.apk
or you can set any name from out.apk to anything in the "rip.php" file
You will see the file is getting download without any user interaction
Impact :-
This attack can used to spread malicious payloads and infected binaries
Any malicous android app apk file can be forced to download
that apk can cause malicious functions
Actual results:
Mozila browser is forced to download tha file
this requires interaction from user
Apk File gets start downloading without any prompting/warning to user
Expected results:
When downloading any file the user should get a prompt/warning before downloading any thing from the web.
|
Reporter | |
Updated•8 years ago
|
Severity: normal → critical
OS: Unspecified → Android
|
|
Reporter | |
Comment 1•8 years ago
|
||
(In reply to narendrathehacker from comment #0)
> Created attachment 8839890 [details]
> rip.php
>
> User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101
> Firefox/51.0
> Build ID: 20170201174907
>
>
> Hi
> Mozilla Team
>
> I got a serious issue on mozila 51.0.3 stable and newer version also (Not
> check beta and others because i am not your official beta tester
>
> Any malicious android app (apk file) can be downloaded on any device without
> user interaction
>
> mozilla Version: my Current exploit working version 51.0.3
> Operating System: Android
>
> Steps to reproduce
> Host the attached rip.php on a working php server
> Put your malicious app APk file in the same directory renamed as facebook.apk
> now when the victim vists the site
> malicious file will be downloaded as out.apk
> or you can set any name from out.apk to anything in the "rip.php" file
>
> You will see the file is getting download without any user interaction
>
>
> Impact :-
> This attack can used to spread malicious payloads and infected binaries
> Any malicous android app apk file can be forced to download
>
> that apk can cause malicious functions
>
>
>
> Actual results:
>
> Mozila browser is forced to download that malicious file
> this requires no interaction from user
> Apk File gets start downloading without any prompting/warning to user
>
>
>
>
> Expected results:
>
> When downloading any file the user should get a prompt/warning before
> downloading any thing from the web.
|
||
Updated•8 years ago
|
Flags: needinfo?(s.kaspari)
|
||
Comment 2•8 years ago
|
||
We will download the file, but should not launch it without user interaction. see bug 690252
|
|
Reporter | |
Comment 3•8 years ago
|
||
I reported this issue for demonstrating "How I Can Download files witohout interaction via Mozilla Android"
Any malicious apk or file can be downloaded without prompting to user and no interaction required from user like click or tap or save or download button.
This demonstration shows How any apk or executable binary file can be downloaded forcefully to any android phone(Downloaded Directly to "Downloads" directory of android phone)
Thanks For reply
Thanks for the reply
Looking for further assistance if doubt or query occured on this report
|
|
||
Comment 4•8 years ago
|
||
I am not disputing your claim. The bug I mentioned in comment 2 created this behavior. Thus it is highly relevant.
|
||
Comment 5•8 years ago
|
||
(In reply to narendrathehacker from comment #0)
> When downloading any file the user should get a prompt/warning before
> downloading any thing from the web.
On desktop we start downloading right away to save the user time while we ask them whether they want it saved or not. If they don't we stop the download and delete the file. This seems like a fair trade-off on a high-bandwidth desktop, but might be a terrible idea for a bandwidth-constrained mobile device. (then again, a malicious browser page can suck your bandwidth in the background without you noticing as long as they can keep you interested in that page.)
There are usability vs spoofability tradeoffs here.
Kevin: is the browser.helperApps.neverAsk.saveToDisk pref still used? On my Fennec it's an empty string which I thought meant (per bug 690252) I should get asked for everything before actually saving the file. Unless the user has previously said "don't ask for this type any more".
This is known behavior so we don't need to hide it while we think about whether the defaults are still appropriate.
Group: firefox-core-security
Flags: needinfo?(kbrosnan)
Summary: Download bypass → potentially malicious files are downloaded without asking
|
|
Reporter | |
Comment 6•8 years ago
|
||
Any updates on this ??
|
|
Reporter | |
Updated•8 years ago
|
Hardware: Unspecified → All
|
|
||
Comment 7•8 years ago
|
||
I don't know. Sebastian is the best person to look at this. He is traveling last I knew.
Flags: needinfo?(kbrosnan)
|
|
||
Comment 8•8 years ago
|
||
Just to clarify: Are the headers you explicitly set in your test case important? I saw that you set Content-Type and Content-Disposition twice. Is this triggering any behavior that is different to the normal download behavior?
tracking-fennec: --- → ?
Flags: needinfo?(s.kaspari)
|
|
Reporter | |
Comment 9•8 years ago
|
||
Yes these two headers(Content-Type and Content-Disposition) are responsible for this producing this bug/issue
they confuses the browser
This attack is something like HPP(HTTP Paraameter Pollution)
I like to call it as HTTP Header Pollution Attack (HHP)
I think mozilla browser is confused between two "Content-Disposition" headers
First one is
Content-Disposition: attachment; filename=out.pdf
which is used for pdf files , browser thinks the file is a PDF format file
But due to second header
Content-Disposition: attachment; filename=out.apk
which is used for APk format file this header forces the browser to download/use it as out.apk
In this scenerio the browser thinks the served file from server is a PDF file so it allows downloading of content.(Browser allowed PDF files to be downloaded without any restriction/prompt/warning)And it allows the file.
But actually the served file from server is an APk file on this time the browser allows it like a PDF file. So the file gets downloaded without any restriction.
|
|
Reporter | |
Comment 10•8 years ago
|
||
Update : Only one "Content-Disposition: attachment" header is enough to reproduce this issue/bug
|
|
Reporter | |
Comment 11•8 years ago
|
||
<?php
$file = 'facebook.apk';
header('Content-Type: application/octet-stream');
header('Content-Description: File Transfer');
header('Content-Disposition: inline; filename=facebook.apk');
header('Connection: Keep-Alive');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit();
?>
|
|
Reporter | |
Comment 12•8 years ago
|
||
Are you able to reproduce ??
|
|
Reporter | |
Comment 13•8 years ago
|
||
Please confirm or traige it.
|
||
Comment 14•8 years ago
|
||
I can reproduce. I turned on browser.safebrowsing.downloads.enabled to true (just in case)
then went and downloaded an EICAR test file
https://en.wikipedia.org/wiki/EICAR_test_file
http://www.eicar.org/85-0-Download.html
It's just a tiny test file that contains a certain string of characters. All major antivirus programs out there will detect EICAR test files as malicious simply to prove they work.
I don't see a security issue here, as downloading a file to the disk should not cause any problems directly. I suppose there could be secondary effects is something is scanning downloaded files in the background.
We could revisit whether we want automatic downloads to happen.
Status: UNCONFIRMED → RESOLVED
tracking-fennec: ? → +
Closed: 8 years ago
Flags: needinfo?(timdream)
Resolution: --- → WONTFIX
|
|
Reporter | |
Comment 16•8 years ago
|
||
This is an android issue not a desktop browser issue
Files can be downloaded without any interaction from users to the storage of device
This is an issue of safe browsing
|
||
Comment 17•8 years ago
|
||
I am not sure why I was ni'd.
A lot of browsers (especially desktop) download stuff w/o asking and only prompt the user when the user wants to run it. We can revisit the design if we really want to.
Flags: needinfo?(timdream)
|
|
Reporter | |
Updated•8 years ago
|
Status: RESOLVED → UNCONFIRMED
Resolution: WONTFIX → ---
|
|
Reporter | |
Comment 18•8 years ago
|
||
You can see a warning before downloading any file like this file may harm your device in chrome,opera and other browsers
|
|
Reporter | |
Comment 19•8 years ago
|
||
video poc
|
|
Reporter | |
Comment 20•8 years ago
|
||
you made this report public
are you serious about security of firefox users ??
|
|
||
Comment 21•8 years ago
|
||
This behavior is easily discoverable it does not require any specific code and requires a non-trival amount of user interaction to install the apk. By default Android devices are set not to accept apk files from outside Google Play.
|
|
Reporter | |
Comment 22•8 years ago
|
||
not only apk any file can be downloaded without users interaction no matter how much size and impact(malicious)
|
|
||
Comment 23•8 years ago
|
||
Is this behavior observed on Chrome and other browsers?
Agree with comment 21 that the Android system protects the users from unknown sources (by default unknown sources will be rejected) so unless the download files can harm the user's device just by downloading it, most regular users are protected by the system already.
|
|
||
Comment 24•8 years ago
|
||
(In reply to giveitatry from comment #18)
> You can see a warning before downloading any file like this file may harm
> your device in chrome,opera and other browsers
FYI: This is bug 936041 and was disabled in bug 1241566 (until bug 1239094 is fixed).
|
|
Reporter | |
Comment 25•8 years ago
|
||
(In reply to Joe Cheng [:jcheng] (please needinfo) from comment #23)
> Is this behavior observed on Chrome and other browsers?
> Agree with comment 21 that the Android system protects the users from
> unknown sources (by default unknown sources will be rejected) so unless the
> download files can harm the user's device just by downloading it, most
> regular users are protected by the system already.
Yes im able to bypass download protection on chrome
|
|
Reporter | |
Comment 26•8 years ago
|
||
Any doubts on this ??
|
|
||
Comment 27•8 years ago
|
||
You are able to install an APK outside the Play Store on a phone with Android's security setting "unknown sources" set to off?
Bypassing the malicious download warning on Google Chrome is not interesting. It provides a way for people to get at incorrectly blocked files.
|
|
Reporter | |
Comment 28•8 years ago
|
||
suppose you stored a apk file from a legitimate source downloaded to downloads directory
But if attacker saves malicious apk of the same app you downloaded before with another name in that directory
Mostly peoples does'nt remember about their app package name so they just check the icon shown in file manager
and installed them
Thats why google gives a scope in their vrp bounty program
|
|
Reporter | |
Comment 29•8 years ago
|
||
Is it enough ???
|
|
||
Comment 30•8 years ago
|
||
I wonder how much does a prompt warning help to avoid such risk.
Prompt or not is more of a UX issue rather than security one, IMO.
Bug 1239094 together with Bug 936041 should help.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 31•8 years ago
|
||
This should not be closed as duplicate that earlier reported issue is explaining how a warning should be shown while downloading malicious
But I reported that the apk or any file can be downloaded without any interaction on user android device
Have a look on my video poc what im demonstrating before closing as duplicate (which is not resolved)
and what you are understanding
think from a attaker's view
|
|
Reporter | |
Comment 32•8 years ago
|
||
(In reply to Wesley Huang [:wesley_huang] (EPM) (NI me) from comment #30)
> I wonder how much does a prompt warning help to avoid such risk.
> Prompt or not is more of a UX issue rather than security one, IMO.
>
> Bug 1239094 together with Bug 936041 should help.
This should not be closed as duplicate that earlier reported issue is explaining how a warning should be shown while downloading malicious
But I reported that the apk or any file can be downloaded without any interaction on user android device
Have a look on my video poc what im demonstrating before closing as duplicate (which is not resolved)
and what you are understanding
think from a attaker's view
|
||
Updated•4 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•