Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Mar 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: IPC Channel does not validate the listener.
Project Member Reported by nsylvain@chromium.org, Mar 10 2012 Back to list
VULNERABILITY DETAILS
The IPC channel does not validate the identity of the listener process. It makes it possible for another process to connect to a pipe started by the browser process.

If the "fake" listener process is unprivileged and connect to a pipe with more rights, it will cause a privilege escalation.

VERSION
Chrome Version: All
Operating System: Windows

 
Comment 1 by jsc...@chromium.org, Mar 11 2012
Cc: jsc...@chromium.org
Comment 2 Deleted
Cc: jorgelo@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals SecSeverity-Critical OS-All SecImpacts-Stable SecImpacts-Beta Mstone-18
Comment 5 by jsc...@chromium.org, Mar 15 2012
Cc: -jsc...@chromium.org cpu@chromium.org
Owner: jsc...@chromium.org
Project Member Comment 6 by bugdroid1@chromium.org, Mar 17 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=127327

------------------------------------------------------------------------
r127327 | jschuh@chromium.org | Fri Mar 16 19:20:46 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel.h?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel_posix.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_sync_channel_unittest.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/render_process_host_impl.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/child_process_host_impl.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/ppapi_plugin/ppapi_thread.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/child_process_host_impl.h?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc.gypi?r1=127327&r2=127326&pathrev=127327
 A http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel_win.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/gpu_channel.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/np_channel_base.cc?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/common/gpu/gpu_channel.h?r1=127327&r2=127326&pathrev=127327
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel_win.h?r1=127327&r2=127326&pathrev=127327

Verify the child process with a secret hello

BUG= 117627 
TEST=IPCSyncChannelTest.Verified

Review URL: http://codereview.chromium.org/9692035
------------------------------------------------------------------------
Comment 7 by jsc...@chromium.org, Mar 17 2012
Labels: -OS-All OS-Windows
This is just the first piece of the fix, but it's the most important part. The next piece will prevent sandboxed processes at all levels from reading each other's memory.
Comment 8 Deleted
Comment 9 Deleted
Comment 10 Deleted
Comment 11 Deleted
Comment 12 Deleted
Labels: -Restrict-View-SecurityTeam -SecSeverity-Critical Restrict-View-SecurityNotify SecSeverity-Medium
Status: FixUnreleased
Realistically, this is a somewhat narrow privilege escalation vector from a partially sandboxed process. So, medium severity is probably more accurate.
Comment 14 Deleted
Comment 15 Deleted
Labels: pwnium
Project Member Comment 17 by bugdroid1@chromium.org, Apr 3 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=130346

------------------------------------------------------------------------
r130346 | jschuh@chromium.org | Tue Apr 03 01:49:43 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/ipc/ipc_channel_win.cc?r1=130346&r2=130345&pathrev=130346

Require IPC hello for a verified channel

BUG= 117627 
TEST=IPCSyncChannelTest.Verified

Review URL: http://codereview.chromium.org/9956085
------------------------------------------------------------------------
Project Member Comment 19 by bugdroid1@chromium.org, Apr 23 2012
Labels: merge-merged-1025
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=133530

------------------------------------------------------------------------
r133530 | jschuh@chromium.org | Mon Apr 23 15:06:20 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/browser/renderer_host/render_process_host_impl.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/common/child_process_host_impl.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/common/gpu/gpu_channel.h?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_channel_posix.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_sync_channel_unittest.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/ppapi_plugin/ppapi_thread.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/common/gpu/gpu_channel.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc.gypi?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/common/child_process_host_impl.h?r1=133530&r2=133529&pathrev=133530
 A http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_channel.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/common/np_channel_base.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_channel_win.cc?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_channel_win.h?r1=133530&r2=133529&pathrev=133530
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/ipc/ipc_channel.h?r1=133530&r2=133529&pathrev=133530

Merge 9692035

Verify the child process with a secret hello

BUG= 117627 
TEST=IPCSyncChannelTest.Verified

Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=127327
------------------------------------------------------------------------
Labels: Merge-Merged
Project Member Comment 21 by bugdroid1@chromium.org, Apr 23 2012
Labels: merge-merged-1084
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=133534

------------------------------------------------------------------------
r133534 | jschuh@chromium.org | Mon Apr 23 15:14:38 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/1084/src/ipc/ipc_channel_win.cc?r1=133534&r2=133533&pathrev=133534

Merge 130346 - Require IPC hello for a verified channel

BUG= 117627 
TEST=IPCSyncChannelTest.Verified

Review URL: http://codereview.chromium.org/9956085

TBR=jschuh@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10199005
------------------------------------------------------------------------
Labels: CVE-2011-3079
Comment 23 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Labels: -Restrict-View-SecurityNotify
Comment 25 Deleted
Comment 26 by Deleted ...@, Oct 4 2012
I also change the path http://letdld.blogspot.com but error still exist on that what to do. Some new bugs of security comes, ??
Project Member Comment 27 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-Internals -SecSeverity-Medium -SecImpacts-Stable -SecImpacts-Beta -Mstone-18 Security-Impact-Beta Security-Severity-Medium M-18 Cr-Internals Security-Impact-Stable Type-Bug-Security
Project Member Comment 28 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 29 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 30 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 31 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 32 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 33 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment