New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
User never visited
Closed: Mar 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug-Security



Sign in to add a comment
link

Issue 180555: Security: DevTools renderer navigation is handled in renderer and allows opening any URL in DevTools window.

Reported by vsevik@chromium.org, Mar 6 2013 Project Member

Issue description

VULNERABILITY DETAILS
Drag-n-dropping any URL (from omnibox or a link on the page) to DevTools navigates DevTools renderer to that link.

This happens because https://codereview.chromium.org/11943008 removed web UI bindings from DevTools renderer. Now should_fork is not set to true in RenderViewImpl::decidePolicyForNavigation() (it's only set to true for navigation to webUI URLs and from renderers with webui bindings, the check for DevTools scheme on old_url is missing).

See https://code.google.com/p/chromium/codesearch#chromium/src/content/renderer/render_view_impl.cc&sq=package:chromium&type=cs&l=3051&rcl=1362536493

VERSION
Chrome Version: M26, M27
Operating System: All

REPRODUCTION STEPS
1) Open any page 
2) Open DevTools
3) Drag-n-drop any link from the page to devtools
4) DevTools navigates to given link which is bad.
 

Comment 1 by vsevik@chromium.org, Mar 6 2013

Cc: jam...@chromium.org

Comment 2 by jsc...@chromium.org, Mar 6 2013

Any idea what it did before, and should DevTools even be a drag target?

Comment 3 by vsevik@chromium.org, Mar 6 2013

It was navigating inspected page before.

This issue is about deciding whether navigation should be handled by renderer or browser.
DevTools being a drop target is another issue and I don't think it really worth attention.

Comment 4 by jsc...@chromium.org, Mar 6 2013

If it's not a drag target then you can't drop a link on it to navigate anywhere, which solves the problem and seems reasonable to me. Adding webui bindings back into DevTools isn't an option because it was a dangerous permission leakage, as evidenced by its use in an exploit.

Comment 5 by vsevik@chromium.org, Mar 6 2013

I have a patch ready actually: https://codereview.chromium.org/12531004/
This seems to be a better solution as it fixes the root of the problem.

Comment 6 by tsepez@chromium.org, Mar 6 2013

Labels: SecSeverity-Low SecImpacts-Beta

Comment 7 by bugdroid1@chromium.org, Mar 7 2013

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=186793

------------------------------------------------------------------------
r186793 | vsevik@chromium.org | 2013-03-07T22:18:59.895930Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/devtools/devtools_sanity_browsertest.cc?r1=186793&r2=186792&pathrev=186793
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/render_view_impl.cc?r1=186793&r2=186792&pathrev=186793

Let the browser handle external navigations from DevTools.

BUG= 180555 


Review URL: https://chromiumcodereview.appspot.com/12531004
------------------------------------------------------------------------

Comment 8 by infe...@chromium.org, Mar 7 2013

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: Fixed

Comment 9 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Feature-DevTools -SecSeverity-Low -SecImpacts-Beta Security-Severity-Low Security-Impact-Beta Cr-Platform-DevTools Type-Bug-Security

Comment 10 by scarybea...@gmail.com, Mar 12 2013

Labels: -Security-Severity-Low Security-Severity-None M-27

Comment 11 by scarybea...@gmail.com, Mar 12 2013

Doesn't seem like a security issue.

If it's considered a significant functional regression, I could still easily merge it to M26 for you. Let me know.

Comment 12 by scarybea...@gmail.com, Mar 12 2013

Labels: -Merge-Approved

Comment 13 by vsevik@chromium.org, Mar 12 2013

I still think this is a security issue: any link drag n dropped to devtools window allows full filesystem read access.
Let's just merge it to 26 to be on the safe side.

Comment 14 by vsevik@chromium.org, Mar 13 2013

Labels: Merge-Requested

Comment 15 by vsevik@chromium.org, Mar 13 2013

Labels: -M-27 M-26

Comment 16 by jsc...@chromium.org, Mar 13 2013

Labels: -Security-Impact-Beta
Bullk edit.

Comment 17 by tanyarad@google.com, Mar 13 2013

Labels: -Merge-Requested Merge-Approved

Comment 18 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: -Merge-Approved merge-merged-1410
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=187957

------------------------------------------------------------------------
r187957 | chrome-bot@google.com | 2013-03-13T22:15:13.732807Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/browser/devtools/devtools_sanity_browsertest.cc?r1=187957&r2=187956&pathrev=187957
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/content/renderer/render_view_impl.cc?r1=187957&r2=187956&pathrev=187957

Merge 186793 "Let the browser handle external navigations from D..."

> Let the browser handle external navigations from DevTools.
> 
> BUG= 180555 
> 
> 
> Review URL: https://chromiumcodereview.appspot.com/12531004

TBR=vsevik@chromium.org
Review URL: https://codereview.chromium.org/12574007
------------------------------------------------------------------------

Comment 19 by scarybea...@gmail.com, Mar 13 2013

Labels: Release-0

Comment 20 by jsc...@chromium.org, Mar 16 2013

Labels: -Security-Severity-None Security-Severity-Low Security-Impact-Beta Security-Impact-Stable
Seems pretty clear it's low-severity, since we shouldn't let a web site run in a renderer with file access.

Comment 21 by scarybea...@gmail.com, Mar 16 2013

I'm not so sure, on account of the level of user interaction:
1) Persuade victim to open dev tools.
2) Persuade victim to drag something untrusted on to dev tools.

Comment 22 by jsc...@chromium.org, Mar 17 2013

Put very succinctly, our security model prohibits web renderers from inheriting file permission. If they can grab it, then it's a security vulnerabliity. Yes, it's a very minor one isolation (hence low), but it violates the model and could be the 23rd link in an exploit where Sergey chains together 37 innocuous bugs to run arbitrary JavaScript on the SSD microcontroller.

More seriously, This situation is analogous to  bug 180058 , where installing an extension as a NaCl proxy made it possible to instantiate NaCl in a web context. From a practical standpoint, there's no user risk we're aware of, but it violated the security model, so we (eventually) triaged it as low-severity.

Comment 23 by scarybea...@gmail.com, Mar 17 2013

I'll add a new label, Security-Severity-InbetweenLowAndNone

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-Low Security_Severity-Low

Comment 25 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 26 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 27 by scarybea...@gmail.com, Mar 23 2013

Labels: CVE-2013-0918

Comment 28 by jsc...@chromium.org, Nov 18 2013

Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Comment 29 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 30 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 31 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 32 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 33 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Comment 34 by sheriffbot@chromium.org, Jul 28 2018

Project Member
Labels: Pri-2

Sign in to add a comment