'Share this page


Latest update:

May 7th, 2015 - The behavior described below was considered "normal"
for Chrome but now it looks like it has finally been patched!

June 28th, 2013 - Added PoC #2 - Chrome Dev won't fix the issue - Status: WontFix

June 5th, 2012 - Added PoC #1

Status:

reported (June 5th, 2012) / Patched (May 7th, 2015)
reported (June 5th, 2012) / Unpatched

Vulnerability/Weakness details:

A user who would like to save a pdf file displayed with Chrome PDF viewer could get a completely different pdf file or download an executable file by exploiting the param/data HTML tag. This is by definition a violation of trust, the infected PDF or EXE is merely the payload.

Version:

Chrome Version: [19.0.1084.52\21.0.1163.0 dev-m] [stable+beta+dev]
Area-Webkit
Operating System: [OS-ALL]


PoC #1


Reproduction case:

Setup:

2 pdf files (good.pdf & infected.pdf)

Google Chrome Version: [19.0.1084.52\21.0.1163.0 dev-m] [stable+beta+dev]

Crafted HTML page :


Load the malicious html page, you are now viewing good.pdf, click "save as" and the saved file will be infected.pdf, open the pdf file and notice that it is not the original file from the html page.

I tested this vulnerability on IE8 / IE9 / Safari / Opera / Firefox and they either load infected.pdf or they are saving the good file.

UPDATE : 28/06/2013

Here's another PoC from a r/netsec/ user, thanks to bennysaurus! You can read the reddit post here : Chrome PDF viewer "save as" vulnerability

PoC #2


Reproduction case:

Setup:

1 pdf file (info.pdf) & 1 executable (putty.exe)

Google Chrome Version: [19.0.1084.52\21.0.1163.0 dev-m] [stable+beta+dev]

Crafted HTML page :


Load the malicious html page, you are now viewing info.pdf, click "save as" and the saved file will be putty.exe! Thanks to this sweet line of code : [type="application/pdf"] which allow us to bypass the extension filter.

This PoC only work in Chrome on all versions.