'Share this page


Latest update:

June 28th, 2013

Status:

reported (June 5th, 2012) / unpatched

Vulnerability details:

By crafting a malicious html page with the only purpose of displaying a pdf file, a user who would like to save the pdf file in question with Chrome PDF viewer, would get a completely different pdf file or download an executable file.

Version:

Chrome Version: [19.0.1084.52\21.0.1163.0 dev-m] [stable+beta+dev]
Area-Webkit
Operating System: [OS-ALL]


PoC #1


Reproduction case:

Setup:

2 pdf files (good.pdf & infected.pdf)

Google Chrome Version: [19.0.1084.52\21.0.1163.0 dev-m] [stable+beta+dev]

Crafted HTML page :


Load the malicious html page, you are now viewing good.pdf, click "save as" and the saved file will be infected.pdf, open the pdf file and notice that it is not the original file from the html page.

I tested this vulnerability on IE8 / IE9 / Safari / Opera / Firefox and they either load infected.pdf or they are saving the good file.

UPDATE : 28/06/2013

Here's another PoC from a r/netsec/ user, thanks to bennysaurus! You can read the reddit post here : Chrome PDF viewer "save as" vulnerability

PoC #2


Reproduction case:

Setup:

1 pdf file (info.pdf) & 1 executable (putty.exe)

Google Chrome Version: [19.0.1084.52\21.0.1163.0 dev-m] [stable+beta+dev]

Crafted HTML page :


Load the malicious html page, you are now viewing info.pdf, click "save as" and the saved file will be putty.exe! Thanks to this sweet line of code : [type="application/pdf"] which allow us to bypass the extension filter.

This PoC only work in Chrome on all versions.