1

When using Chrome and I select a file for upload on a website that accepts files, a Windows dialog box appears for me to select a file.

I can then paste a URL address for a file in the dialog box, and explorer.exe then invokes a process to download the file to a temporary folder, and then upload the file from the temporary folder to the website.

I think explorer.exe invokes Edge, judging by the temporary files location of subsequent upload dialog boxes remembering the last used folder.

Can a maliciously encoded url use a malformed 'filename' (what windows interprets) in the url to somehow impact the explorer.exe process or Windows filesystem nefariously?

Can this access be contained within Edge's browser cache or can it go further with a carefully designed filename?

Once the filename becomes local, is the process running with local zone privileges?

laughing muppet
  • 11
  • 3
  • I cleaned up your post but the 2nd to last paragraph was very difficult to understand. I think you missed a word. Can you edit your post to make sure it says what you intended? – schroeder Feb 14 '20 at 08:42
  • In general, just accessing a file does not run it, so downloading and uploading won't affect your machine. – schroeder Feb 14 '20 at 08:43
  • i guess the only way would be if the filename length exceeds ntfs limits, and then ends up overwriting the next sectors – laughing muppet Feb 14 '20 at 10:17
  • Can that happen? – schroeder Feb 14 '20 at 10:22
  • "Once the filename becomes local, is the process running with local zone privileges" - this question makes no sense. What process? – schroeder Feb 14 '20 at 10:34
  • `, and then ends up overwriting the next sectors` If this is possible, i'm sure Microsoft would pay well for a PoC :P – Nomad Feb 14 '20 at 11:58
  • It isn't possible to give an authoritative yes/no answer (or give a solid guess) for any of these questions without being able to reproduce the conditions and test for a vulnerability. If you're interested in going deeper into this, I suggest posting the steps to replicate the issue as well as system information and versions (what build of Windows, what version of Chrome, etc). – Joshua Murphy Feb 15 '20 at 00:49

0 Answers0