New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 390624 link

Starred by 3 users

Issue metadata

Status: Verified
Owner:
User never visited
Closed: Aug 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Extensions can spoof the list of host permissions in the permission dialog

Project Member Reported by rob@robwu.nl, Jul 1 2014

Issue description

This template is ONLY for reporting security bugs. Please use a different
template for other types of bug reports.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.
By inserting a NUL byte in a host permission, extension authors can hide all host permission requests, giving users a false sense of security when they install an extension. To solve this issue, I suggest to reject the URL pattern if it contains a NUL byte.

VERSION
Chrome Version: 37.0.2019.0 (all versions, all channels)
Operating System: ArchLinux x64

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

1. Create a directory and create contentscript.js and manifest.json (attached below).
2. Start Chrome and load the unpacked extension, e.g. using chromium --load-extension=/tmp/extensiondirectory
3. Visit chrome://extensions/ and click on "Permissions". Observe that the dialog shows "Access your data on:" instead of "Access your data on: example.com" (as seen in the attached screenshot)
4. Visit http://example.com/, and observe that the content script executes, even though the permission dialog said nothing about granting permissions to access this website.

manifest.json
{
    "name": "Seemingly harmless",
    "version": "1",
    "manifest_version": 2,
    "content_scripts": [{
        "js": ["contentscript.js"],
        "matches": [
            "*://\x00/*",
            "*://*.example.com/*"
        ]
    }]
}

contentscript.js
alert('You did not expect this dialog, did you?');
 
access-your-data-on-blank.png
40.4 KB View Download
contentscript.js
51 bytes View Download
manifest.json
245 bytes Download

Comment 1 by f...@chromium.org, Jul 2 2014

Labels: -OS-Windows -OS-Mac
This only reproduces on linux.
Screen Shot 2014-07-02 at 11.57.29 AM.png
21.6 KB View Download
Screen Shot 2014-07-02 at 11.59.25 AM.png
44.4 KB View Download

Comment 2 by f...@chromium.org, Jul 2 2014

Cc: mea...@chromium.org finnur@chromium.org kalman@chromium.org
Labels: Security_Severity-High Security_Impact-Stable Security_Impact-Beta Security_Impact-Head
Status: Available
Thanks for the report.

I'm marking this as high severity since it lets an extension on Linux access websites without it showing up in the warning.

finnur@, would you be the right person to look at this?

Comment 3 by f...@chromium.org, Jul 2 2014

Labels: -Pri-2 Pri-1 M-37
Cc: yoz@chromium.org rdevlin....@chromium.org jyasskin@chromium.org
Yeah we should clearly be rejecting nonsensical characters in this host permissions, but that still begs the question where in the chain of manifest JSON --> permission warnings the \0 gets lost.
This bug also exists on chromeos.

Comment 6 by f...@chromium.org, Jul 2 2014

Labels: OS-Chrome
I'm one of many people who might be appropriate to look at this, but I'm going on vacation pretty soon (tomorrow) so I'm not sure I am going to have enough time to follow through on this.

But this doesn't seem as scary as it first looked, because I can only get the extension to load via --load-extension, whereas a .crx fails on the empty permission. That makes me think you can't distribute this kind of extension via the webstore.
... empty host*

Comment 9 by rob@robwu.nl, Jul 3 2014

The bug does not rely on an empty host. If you change "\x00" to "\x00whatever", then the issue still shows up.

I've uploaded the extension (unlisted) to the CWS, and I was able to install the extension without any problems: 
https://chrome.google.com/webstore/detail/seemingly-harmless/jjdmabeidkgbkibjbifallgokbkhlpgf

manifest.json
{
    "name": "Seemingly harmless",
    "version": "1",
    "manifest_version": 2,
    "content_scripts": [{
        "js": ["contentscript.js"],
        "matches": [
            "*://\x00/*",
            "*://*.example.com/*"
        ]
    }]
}

contentscript.js
51 bytes View Download
cws.zip
531 bytes Download
manifest.json
253 bytes Download

Comment 10 by rob@robwu.nl, Jul 3 2014

Ehh, "\x00" in the previous manifest.json in the previous comment should of course be changed to "\x00whatever".
Yup. That's a better example. This one doesn't fail when installed via crx.
Filed http://b/16127784 for Webstore (internal bug).

Comment 13 by yoz@chromium.org, Jul 7 2014

Owner: yoz@chromium.org
Status: Assigned
Going to look into this one from the Chrome side.
Project Member

Comment 14 by bugdroid1@chromium.org, Jul 25 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/80d5aa4a1de9107d1442480b8ea9ba06feff2be2

commit 80d5aa4a1de9107d1442480b8ea9ba06feff2be2
Author: yoz@chromium.org <yoz@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Fri Jul 25 05:45:40 2014

Don't allow null bytes in hosts of host permissions.

BUG= 390624 
TEST=Load the sample manifest from the bug, comment #9. It should fail to load.

Review URL: https://codereview.chromium.org/416263002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@285492 0039d316-1c4b-4281-b951-d872f2087c98


Project Member

Comment 15 by bugdroid1@chromium.org, Jul 25 2014

------------------------------------------------------------------
r285492 | yoz@chromium.org | 2014-07-25T05:45:40.163672Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/extensions/common/url_pattern_unittest.cc?r1=285492&r2=285491&pathrev=285492
   M http://src.chromium.org/viewvc/chrome/trunk/src/extensions/common/url_pattern.cc?r1=285492&r2=285491&pathrev=285492
   M http://src.chromium.org/viewvc/chrome/trunk/src/extensions/common/url_pattern.h?r1=285492&r2=285491&pathrev=285492

Don't allow null bytes in hosts of host permissions.

BUG= 390624 
TEST=Load the sample manifest from the bug, comment #9. It should fail to load.

Review URL: https://codereview.chromium.org/416263002
-----------------------------------------------------------------

Comment 16 by yoz@chromium.org, Jul 28 2014

Labels: Merge-Requested
Labels: -Security_Impact-Beta
Bulk update
Labels: -Security_Impact-Head
Bulk update.
Labels: ncros-merge
Labels: -Merge-Requested Merge-Approved
merge approved for m37 branch 2062
Project Member

Comment 21 by bugdroid1@chromium.org, Aug 4 2014

Labels: -Merge-Approved merge-merged-2062
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/879ee705feb62c7392bb7e38323d76b15b15f6e2

commit 879ee705feb62c7392bb7e38323d76b15b15f6e2
Author: yoz@chromium.org <yoz@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Mon Aug 04 20:21:04 2014

Merge 285492 "Don't allow null bytes in hosts of host permissions."

> Don't allow null bytes in hosts of host permissions.
> 
> BUG= 390624 
> TEST=Load the sample manifest from the bug, comment #9. It should fail to load.
> 
> Review URL: https://codereview.chromium.org/416263002

TBR=yoz@chromium.org

Review URL: https://codereview.chromium.org/441643009

git-svn-id: svn://svn.chromium.org/chrome/branches/2062/src@287396 0039d316-1c4b-4281-b951-d872f2087c98


Project Member

Comment 22 by bugdroid1@chromium.org, Aug 4 2014

------------------------------------------------------------------
r287396 | yoz@chromium.org | 2014-08-04T20:21:04.051008Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/2062/src/extensions/common/url_pattern_unittest.cc?r1=287396&r2=287395&pathrev=287396
   M http://src.chromium.org/viewvc/chrome/branches/2062/src/extensions/common/url_pattern.cc?r1=287396&r2=287395&pathrev=287396
   M http://src.chromium.org/viewvc/chrome/branches/2062/src/extensions/common/url_pattern.h?r1=287396&r2=287395&pathrev=287396

Merge 285492 "Don't allow null bytes in hosts of host permissions."

> Don't allow null bytes in hosts of host permissions.
> 
> BUG= 390624 
> TEST=Load the sample manifest from the bug, comment #9. It should fail to load.
> 
> Review URL: https://codereview.chromium.org/416263002

TBR=yoz@chromium.org

Review URL: https://codereview.chromium.org/441643009
-----------------------------------------------------------------

Comment 23 by yoz@chromium.org, Aug 4 2014

Status: Fixed
Labels: Release-0-M37
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-1000
Thanks for the report! This qualifies for a $1000 reward. Someone should be reaching out to you soon with additional details.

How would you like to be credited when we mention this bug in our release notes?
Labels: CVE-2014-3170

Comment 28 by rob@robwu.nl, Aug 22 2014

@mbarbella (c26)
Thanks for the credit! Preferably just using my full name, and since it is very short, also with a link to my home page:
<a href="https://robwu.nl">Rob Wu</a>
Cc: timwillis@chromium.org
Labels: -reward-unpaid reward-inprocess
Rob,

I've passed your details over to the finance team. If you haven't heard from them by this time next week asking for your payment details, please contact me directly (or update this bug).

Congratulations on the reward!

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Labels: -reward-inprocess
Processing via our e-payment system can take a few weeks, but reward should be on its way to you. Thanks again for your help!
Project Member

Comment 31 by ClusterFuzz, Nov 11 2014

Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
Labels: VerifyIn-40
Status: Verified
Project Member

Comment 34 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 35 by sheriffbot@chromium.org, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 36 by sheriffbot@chromium.org, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment