Skip to content

πŸ±β€πŸ’» πŸ‘ Google Chrome - File System Access API - vulnerabilities reported by Maciej Pulikowski | Total Bug Bounty Reward: $5.000 | CVE-2021-21123 and 5 more...

Notifications You must be signed in to change notification settings

Puliczek/CVE-2021-21123-PoC-Google-Chrome

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

10 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ“ Description

Google Chrome - File System Access API - vulnerabilities reported by Maciej Pulikowski

Total Bug Bounty Reward: $5.000

This is Proof of Concept for:

The main security issue here is the operating system dialog "Save as" launched by Google Chrome, is showing to the user the wrong file extension of downloaded the file. It shows "Save as type: JPEG (.jpg)" but downloads virus.jpg.lnk that can download and run virus.exe by PowerShell.

So it is a kind of spoofing extension of downloaded a file.

The bugs works in Google Chrome 86 and 87 on Windows, Mac, and Linux. Of course, LNK works only on Windows, but we can change it to a different extension on Linux or Mac.

Google Blog posts:

Mentioned bugs are "Reported by Maciej Pulikowski"

πŸ“Ί Youtube Proof of Concept

https://www.youtube.com/watch?v=l9swTtaRDNs

PoC Video

Thanks for the thumbs up πŸ˜€πŸ‘

πŸ‘¨β€πŸ’» Code PoC

Requirements: Nothing, you just need to run an HTML file in an older version of Google Chrome 86 or 87. If you want to test it with a .lnk file, you have to create FUD "lnkextra.lnk" file, because it is not included.

  • example_showSaveFilePicker.html (The bugs works in Google Chrome 86 and 87. They are patched in 88+)

    CVE-2021-21123, CVE-2021-21129, CVE-2021-21130, CVE-2021-21131, CVE-2021-21141

    Playground of my examples for showSaveFilePicker():

    • Save LNK file and show save as type: JPEG Image (*.jpg)
    • A many of whitespace and fake extensions in the description
    • RTL in description
    • Super long description
    • Many spaces in the extension
    • RTL in extension
    • Extension ends with space
    • Extension ends with a period
    • Save LNK file in a different way
    • EXTRA - Because everything happens in JS we can check if the user's browser is vulnerable
  • example_getFileHandle.html (The bug works in Google Chrome 86, 87, and 88. It is patched in 89+)

    CVE-2021-21172 - getFileHandle() - Save .lnk file to selected folder

πŸ’» Useful links

🀝 Show your support

Give a ⭐️ if you liked the content

βœ”οΈ Disclaimer

This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.

About

πŸ±β€πŸ’» πŸ‘ Google Chrome - File System Access API - vulnerabilities reported by Maciej Pulikowski | Total Bug Bounty Reward: $5.000 | CVE-2021-21123 and 5 more...

Topics

Resources

Stars

Watchers

Forks

Languages