Skip to content

Commit 4b9c56e

Browse files
MetnewMetnew
committed
feat(cve-2016-5214): add "mark of the web bypass" [chrome]
1 parent d39d195 commit 4b9c56e

File tree

2 files changed

+50
-0
lines changed

2 files changed

+50
-0
lines changed

chrome/CVE-2016-5214/README.md

+44
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
# Mark of the Web bypass in Chrome
2+
3+
> Reported by [email protected], Apr 7 2016
4+
5+
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586
6+
7+
> [Metnew] TL;DR: download using `data:` URI bypasses "Mark of the web"
8+
9+
## REPRODUCTION CASE
10+
11+
Steps to reproduce the problem:
12+
13+
1. In Windows, open Chrome and browse to http://payloadhoster.cloudapp.net/WordDataRedirect.htm
14+
2. Click the “download.docx” file that appears at the bottom of the Window.
15+
16+
Expected: the document file has Mark of the Web (MOTW) applied to it, and is opened in protected view.
17+
Actual: the document does not have MOTW applied to it and is opened without protected view.
18+
19+
## VULNERABILITY DETAILS
20+
21+
This works because the web page uses javascript to set the document location to a URL beginning with “data:application/vnd.openxmlformats-officedocument.wordprocessingml.document;base64,”. Chrome will open data: URI’s with arbitrary MIME types, and does not apply Mark of the Web to files downloaded this way in Windows.
22+
23+
This bug cannot be reproduced in Firefox (which applies mark of the web) or IE (which won’t open data: URI’s for arbitrary MIME types like this).
24+
25+
As an additional note, the filename for the document can be controlled using the “download” attribute of an anchor tag.
26+
27+
A repro with this addition can be found here:
28+
http://payloadhoster.cloudapp.net/WordDataRedirect2.htm
29+
30+
What is the expected behavior?
31+
the document file has Mark of the Web (MOTW) applied to it, and is opened in protected view.
32+
33+
What went wrong?
34+
the document does not have MOTW applied to it and is opened without protected view.
35+
36+
Did this work before? N/A
37+
38+
## VERSION
39+
40+
Chrome version: 46.0.2486.0 Channel: n/a
41+
OS Version: 10.0
42+
Flash Version: Shockwave Flash 21.0 r0
43+
44+
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=601538

chrome/CVE-2016-5214/exploit.html

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
<body>
2+
<a id="trigger" href="data:application/vnd.openxmlformats-officedocument.wordprocessingml.document; base64" download="exploit.docx"></a>
3+
<script>
4+
trigger.click()
5+
</script>
6+
</body>

0 commit comments

Comments
 (0)