Closed Bug 1903433 Opened 1 year ago Closed 1 year ago

Download Protections bypass using download Attribute

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: gosegu, Unassigned, NeedInfo)

Details

(Keywords: reporter-external, Whiteboard: [client-bounty-form])

Attachments

(5 files)

clickjacking.html
315 bytes, text/html
Details
content.html
27.00 KB, text/html
Details
mal.exe
9 bytes, application/x-msdownload
Details
firefox_download.mp4
632.19 KB, video/mp4
Details
chrome_download.mp4
680.33 KB, video/mp4
Details

Reproduction Case

1.Download the attached files (clickjacking.html, mal.exe, content.html) and place them in the same folder. Then, open the server (localhost is also acceptable).

2.After that, when you click on mal.exe, it goes through a confirmation process with the user before saving the file. However, if you click on calc.exe, a program with an exe extension is immediately downloaded, and opening it launches the calculator.

In Firefox, there are many extensions that check files before downloading them. However, using the download attribute, it is possible to bypass these scans for almost all extensions. In the same situation, the Chrome browser always check the file before downloading it.

OS : Windows 10
Version : 128.0b4 (64-bit)

Flags: sec-bounty?
Attached file clickjacking.html
Attached file content.html
Attached file mal.exe
Attached video firefox_download.mp4
Attached video chrome_download.mp4
Component: Security → File Handling
Flags: needinfo?(gijskruitbosch+bugs)

(In reply to hyeon park from comment #0)

Reproduction Case

1.Download the attached files (clickjacking.html, mal.exe, content.html) and place them in the same folder. Then, open the server (localhost is also acceptable).

Note: also have to change the references in clickjacking.html (ie correct the URLs to mal.exe and content.html included there), which is the file you're supposed to open first.

2.After that, when you click on mal.exe, it goes through a confirmation process with the user before saving the file.

It doesn't? Not in the Firefox default settings. Only if you change the default settings to prompt about each download.

However, if you click on calc.exe, a program with an exe extension is immediately downloaded, and opening it launches the calculator.

I think any difference here is to do with your Firefox settings. Please try a new Firefox profile, and then clarify what settings you were using when recording the video you attached. I have tried reproducing with "Ask whether to save or open files" checked and cannot reproduce download causing that to be bypassed, so I expect you had a specific filetype set to prompt - but that wasn't in your steps to reproduce or clarified at all. Easiest way to figure it out would be attaching a copy of handlers.json from the affected profile.

We don't do an in-browser prompt when opening calc.exe on Windows because we expect Windows to prompt if the signature of the file is such that that is required. This has been Firefox's behaviour for a long time. https://searchfox.org/mozilla-central/rev/cb1060f7b4581e6c2d30f1accc84c7d807132d82/toolkit/components/downloads/DownloadIntegration.sys.mjs#647-674

We would prompt when opening the download for executable files with any other extension (can try e.g. .com) - all the warnings happen when opening the download. The only time we block downloads before they get transferred to disk is for unsafe mixed content (http from an https page) - we recently tried to expand this to block all http downloads but ran into too many web compat issues.

In Firefox, there are many extensions that check files before downloading them. However, using the download attribute, it is possible to bypass these scans for almost all extensions.

It's not clear to me what you believe is being bypassed here. I don't think the warning-when-opening thing should be bypass-able if you're using download= to change the file extension. If it is, please provide a testcase that doesn't use .exe files and elaborate.

If you're talking about the "ask what to do with this file" dialog: there are per-filetype download settings, also about whether or not we prompt you to open/save. These are based on mimetype. Your server is presumably sending text/html as the filetype for content.html (where download=calc.exe is set). The fact that the download attribute then changes it to .exe instead of HTML means that maybe we do the "wrong" thing in terms of prompting or not prompting about what to do with the file. That is arguably a bug, but it's not a security boundary so I don't think it's a security bug.

In the same situation, the Chrome browser always check the file before downloading it.

The screencast is not super clear, but as far as I can tell this is just Chrome blocking the download because it happened over http (not https) and I believe Chrome has started blocking .exe files in that situation. That's great but nothing to do with the download attribute or any of the other bits here.

Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(gosegu)
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
Group: firefox-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: