New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 377995: Security: CSP Sandbox bypass

Reported by man...@caballero.com.ar, May 27 2014

Issue description

VULNERABILITY DETAILS
We can bypass the header('Content-Security-Policy:sandbox') and access the DOM of sandboxed URLs.
What we are doing is very simple: inject code into the page *before* it has been loaded, so Chrome will honor that code even when it should discard it. In other words, Chrome should behave exactly as if the sandboxed URL were coming from a different domain, deleting injected code. Once it reads the header, boom, destroy injected code so it doesn't run.

VERSION
Chrome Version: 35.0.1916.114 (Official Build 270117) m stable
Operating System: Windows 8.1 Pro Fully Updated

REPRODUCTION CASE
Attached is the PoC, but here's the explanation because it's quite simple:

1) We open a new window which is header-sandboxed.
w = window.open("sandboxed.php","","width=400,height=400");

2) Before it loads, we inject an event and code:
w.onload = new w.Function("alert(document.body.innerText);document.body.innerHTML = '<h1>HACKED BY THE MAIN WINDOW</h1>'");

That's it! Chrome will not delete the event/function so it will run in the sandboxed window.

Thanks!
 
Bypass_CSP_Sandbox.zip
1.1 KB Download

Comment 1 by wfh@chromium.org, May 27 2014

Cc: jww@chromium.org abarth@chromium.org
Labels: Pri-2 Security_Impact-Beta Security_Severity-Low Security_Impact-Head Cr-Blink-CSP
Owner: mkwst@chromium.org
Status: Available
mkwst@ can you take a look at this issue, or pass onto someone else.  Thanks!

Comment 2 by ClusterFuzz, May 27 2014

Project Member
Labels: -Security_Impact-Head

Comment 3 by mbarbe...@chromium.org, Oct 7 2014

Any update on this?

Comment 4 by mea...@chromium.org, Nov 11 2014

Cc: -jww@chromium.org mkwst@chromium.org
Owner: jww@chromium.org
Joel, perhaps you could take a look?

Comment 5 by jww@chromium.org, Nov 14 2014

Owner: mkwst@chromium.org
Unfortunately, I won't be able to take a look at this for a week. Mike, I'm assigning back to you if you can take it, otherwise I'll take a look when I get back.

Comment 6 by mea...@chromium.org, Feb 18 2015

Mike, have you had a chance to look at this?

Comment 7 by ClusterFuzz, Oct 28 2015

Project Member
Status: Assigned

Comment 8 by tsepez@chromium.org, Apr 14 2016

Components: Blink>SecurityFeature

Comment 9 by ta...@google.com, Jul 13 2016

Labels: OS-Windows

Comment 10 by mkwst@chromium.org, Aug 24 2017

Components: Blink>SecurityFeature>ContentSecurityPolicy

Comment 11 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 12 by elawrence@chromium.org, Feb 15 2018

Cc: andypaicu@chromium.org est...@chromium.org
Labels: -Security_Severity-Low -Security_Impact-Beta Security_Severity-Medium FoundIn-66 Security_Impact-Stable OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac
Summary: Security: CSP Sandbox bypass (was: Security: CSP Header HTML Sandbox bypass)
This still reproduces in Chrome 66.0.3348.0.

Here's a repro: https://whytls.com/test/csp/stealSandbox.html

I'm going to raise the severity of this issue based on the fact that this is technically a same-origin policy violation, and neither Edge nor Firefox seems to be vulnerable (although that might just be because they don't support the syntax used).

Comment 13 by sheriffbot@chromium.org, Feb 16 2018

Project Member
mkwst: Uh oh! This issue still open and hasn't been updated in the last 175 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 14 by sheriffbot@chromium.org, Feb 16 2018

Project Member
Labels: M-65

Comment 15 by sheriffbot@chromium.org, Feb 16 2018

Project Member
Labels: -Pri-2 Pri-1

Comment 16 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Comment 17 by mkwst@chromium.org, Feb 19 2018

Cc: -andypaicu@chromium.org -abarth@chromium.org
Components: -Blink>SecurityFeature Blink>SecurityFeature>IFrameSandbox
Owner: andypaicu@chromium.org
Andy, mind taking a look at this?

Comment 18 by sheriffbot@chromium.org, Mar 3 2018

Project Member
andypaicu: Uh oh! This issue still open and hasn't been updated in the last 1375 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 19 by sheriffbot@chromium.org, Apr 19 2018

Project Member
Labels: -M-65 M-66

Comment 20 by dcheng@chromium.org, May 9 2018

Cc: dcheng@chromium.org
I think this particular bug is caused by the fact that we're incorrectly reusing the Window object.

I tested something like this:
  var w = window.open('same-origin-page-that-is-sandboxed.py');
  w.testProperty = 'abc';

Once same-origin-page-that-is-sandboxed.py loads, you'll notice that testProperty is (incorrectly) set. This is in violation of the steps specified in initializing a new Document [1], which state that we only skip creating a new Window if the new Document is same-origin. Since the Document is sandboxed, by definition, it is cross-origin.

[1] https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object

Comment 21 by est...@chromium.org, May 16 2018

Security sheriff update: Per offline discussion, patch is in progress at https://chromium-review.googlesource.com/c/chromium/src/+/983558

Comment 22 by sheriffbot@chromium.org, May 30 2018

Project Member
Labels: -M-66 M-67

Comment 23 by palmer@chromium.org, Jun 6 2018

Friendly ping to dcheng and mkwst to review the CL when they get back. :)

Comment 24 by bugdroid1@chromium.org, Jun 15 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/90f878780cce9c4b0475fcea14d91b8f510cce11

commit 90f878780cce9c4b0475fcea14d91b8f510cce11
Author: Andy Paicu <andypaicu@chromium.org>
Date: Fri Jun 15 15:51:49 2018

Prevent sandboxed documents from reusing the default window

Bug:  377995 
Change-Id: Iff66c6d214dfd0cb7ea9c80f83afeedfff703541
Reviewed-on: https://chromium-review.googlesource.com/983558
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#567663}
[modify] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/sandbox/sandbox-allow-scripts.sub.html
[rename] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/sandbox/support/sandboxed-post-message-to-parent.html
[add] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html
[rename] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/sandbox/support/sandboxed-post-property-to-opener.html.sub.headers
[add] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/sandbox/support/unsandboxed-post-property-to-opener.html
[add] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/sandbox/window-reuse-sandboxed.html
[add] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/sandbox/window-reuse-unsandboxed.html
[modify] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/blink/renderer/core/dom/document.cc
[modify] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/blink/renderer/core/execution_context/security_context.h
[modify] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/blink/renderer/core/frame/csp/content_security_policy.h
[modify] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/blink/renderer/core/frame/local_frame.cc
[modify] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/blink/renderer/core/frame/local_frame.h
[modify] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/blink/renderer/core/loader/document_loader.cc
[modify] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/blink/renderer/core/loader/document_loader.h
[modify] https://crrev.com/90f878780cce9c4b0475fcea14d91b8f510cce11/third_party/blink/renderer/core/loader/frame_loader.cc

Comment 25 by andypaicu@chromium.org, Jun 15 2018

Status: Fixed (was: Assigned)

Comment 26 by sheriffbot@chromium.org, Jun 16 2018

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 27 by awhalley@chromium.org, Jun 18 2018

Labels: reward-topanel

Comment 28 by sheriffbot@chromium.org, Jun 19 2018

Project Member
Labels: Merge-Request-68

Comment 29 by sheriffbot@chromium.org, Jun 19 2018

Project Member
Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 30 by abdulsyed@google.com, Jun 19 2018

Labels: -Merge-Review-68 Merge-Rejected-68
Since this has been present since M66, my preference is to target M69.

Comment 31 by awhalley@chromium.org, Jun 20 2018

Labels: -M-67 M-69

Comment 32 by awhalley@chromium.org, Jun 21 2018

Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 33 by awhalley@chromium.org, Jun 21 2018

Cc: awhalley@chromium.org
Hi manuel@ - the Chrome VRP panel has (eventually :-) awarded $1,000 for this report! A member of our finance team will be in touch to arrange payment. Also, how would you like to be credited in release notes?

Comment 34 by awhalley@google.com, Jun 21 2018

Labels: -reward-unpaid reward-inprocess

Comment 35 by man...@caballero.com.ar, Jun 21 2018

Thanks a lot!

Money   --> Wikimedia Foundation
Credits --> My real name

Thanks!

Comment 36 by awhalley@chromium.org, Jun 21 2018

Labels: -reward-unpaid reward-decline
Thanks for your generosity Manuel! I've donated $2,000 to the Wikimedia Foundation on your behalf.

Comment 37 by man...@caballero.com.ar, Jun 21 2018

My pleasure!

Comment 38 by awhalley@google.com, Aug 16

Labels: Release-0-M69

Comment 39 by awhalley@chromium.org, Sep 4

Labels: CVE-2018-16077 CVE_description-missing

Comment 40 by sheriffbot@chromium.org, Sep 22

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment