New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 117627 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: IPC Channel does not validate the listener.

Reported by nsylvain@chromium.org, Mar 10 2012

Issue description

VULNERABILITY DETAILS
The IPC channel does not validate the identity of the listener process. It makes it possible for another process to connect to a pipe started by the browser process.

If the "fake" listener process is unprivileged and connect to a pipe with more rights, it will cause a privilege escalation.

VERSION
Chrome Version: All
Operating System: Windows

 

Comment 1 by jsc...@chromium.org, Mar 11 2012

Cc: jsc...@chromium.org

Comment 2 Deleted

Cc: jorgelo@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals SecSeverity-Critical OS-All SecImpacts-Stable SecImpacts-Beta Mstone-18

Comment 5 by jsc...@chromium.org, Mar 15 2012

Cc: -jsc...@chromium.org cpu@chromium.org
Owner: jsc...@chromium.org
Project Member

Comment 6 by bugdroid1@chromium.org, Mar 17 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=127327

------------------------------------------------------------------------
r127327 | jschuh@chromium.org | Fri Mar 16 19:20:46 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel.h?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel_posix.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_sync_channel_unittest.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/render_process_host_impl.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/child_process_host_impl.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/ppapi_plugin/ppapi_thread.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/child_process_host_impl.h?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc.gypi?r1=127327&r2=127326&pathrev=127327
 A http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel_win.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/gpu_channel.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/np_channel_base.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/gpu_channel.h?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel_win.h?r1=127327&r2=127326&pathrev=127327

Verify the child process with a secret hello

BUG= 117627 
TEST=IPCSyncChannelTest.Verified

Review URL: http://codereview.chromium.org/9692035
------------------------------------------------------------------------

Comment 7 by jsc...@chromium.org, Mar 17 2012

Labels: -OS-All OS-Windows
This is just the first piece of the fix, but it's the most important part. The next piece will prevent sandboxed processes at all levels from reading each other's memory.

Comment 8 Deleted

Comment 9 Deleted

Comment 10 Deleted

Comment 11 Deleted

Comment 12 Deleted

Labels: -Restrict-View-SecurityTeam -SecSeverity-Critical Restrict-View-SecurityNotify SecSeverity-Medium
Status: FixUnreleased
Realistically, this is a somewhat narrow privilege escalation vector from a partially sandboxed process. So, medium severity is probably more accurate.

Comment 14 Deleted

Comment 15 Deleted

Labels: pwnium
Project Member

Comment 17 by bugdroid1@chromium.org, Apr 3 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=130346

------------------------------------------------------------------------
r130346 | jschuh@chromium.org | Tue Apr 03 01:49:43 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel_win.cc?r1=130346&r2=130345&pathrev=130346

Require IPC hello for a verified channel

BUG= 117627 
TEST=IPCSyncChannelTest.Verified

Review URL: http://codereview.chromium.org/9956085
------------------------------------------------------------------------
Project Member

Comment 19 by bugdroid1@chromium.org, Apr 23 2012

Labels: merge-merged-1025
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=133530

------------------------------------------------------------------------
r133530 | jschuh@chromium.org | Mon Apr 23 15:06:20 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/browser/renderer_host/render_process_host_impl.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/common/child_process_host_impl.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/common/gpu/gpu_channel.h?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_channel_posix.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_sync_channel_unittest.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/ppapi_plugin/ppapi_thread.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/common/gpu/gpu_channel.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc.gypi?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/common/child_process_host_impl.h?r1=133530&r2=133529&pathrev=133530
 A http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_channel.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/common/np_channel_base.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_channel_win.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_channel_win.h?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_channel.h?r1=133530&r2=133529&pathrev=133530

Merge 9692035

Verify the child process with a secret hello

BUG= 117627 
TEST=IPCSyncChannelTest.Verified

Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=127327
------------------------------------------------------------------------
Labels: Merge-Merged
Project Member

Comment 21 by bugdroid1@chromium.org, Apr 23 2012

Labels: merge-merged-1084
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=133534

------------------------------------------------------------------------
r133534 | jschuh@chromium.org | Mon Apr 23 15:14:38 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/1084/src/ipc/ipc_channel_win.cc?r1=133534&r2=133533&pathrev=133534

Merge 130346 - Require IPC hello for a verified channel

BUG= 117627 
TEST=IPCSyncChannelTest.Verified

Review URL: http://codereview.chromium.org/9956085

TBR=jschuh@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10199005
------------------------------------------------------------------------
Labels: CVE-2011-3079

Comment 23 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Labels: -Restrict-View-SecurityNotify

Comment 25 Deleted

Comment 26 by Deleted ...@, Oct 4 2012

I also change the path http://letdld.blogspot.com but error still exist on that what to do. Some new bugs of security comes, ??
Project Member

Comment 27 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -SecSeverity-Medium -SecImpacts-Stable -SecImpacts-Beta -Mstone-18 Security-Impact-Beta Security-Severity-Medium M-18 Cr-Internals Security-Impact-Stable Type-Bug-Security
Project Member

Comment 28 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 29 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 30 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 31 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 32 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 33 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment