Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Closed: May 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
wip
Nag

Blocked on:
issue 490320



Sign in to add a comment
Security: Webpages have access to some extension resources
Reported by pim...@live.nl, Mar 19 2015 Back to list
VULNERABILITY DETAILS

It is possible to load some extension JavaScript resources from a regular webpage by adding setters to `Object.prototype`. In principle, only a couple of such resources are loaded by default when e.g. `chrome.webstore.onDownloadProgress` is accessed from a webpage. However, some extra resources can be loaded using these setters, and some functions inside these resources can be intercepted and certain native functions can then be called indirectly.

Some actions that are then possible are (including the release channel where the corresponding attachment works):

 - [Stable+Canary, attachment bindtogc.html] Have a function called when an object has been garbage collected.

 - [Stable+Canary, attachment blob.html] Get internal Blob UUIDs from a Blob and vice versa. This can, in theory, be used to share blobs cross-origin, but it requires first obtaining (guessing) an 128-bit cryptographically random UUID. (On stable, the attachment requires a slightly different `getBlob` function to work, see comment.)

 - [Stable+Canary, attachment incognito.html] Get a boolean stating whether the page is viewed in incognito mode or not.

 - [Canary only, attachment gesture.html] Execute functions that require an user gesture (e.g. `window.open`, `webkitRequestFullscreen`) without an user gesture.

It does not seem possible to intercept the native functions directly, but the JavaScript functions that call them can be intercepted. By passing a custom `this` value and/or custom arguments to certain functions, certain code paths can be triggered, and some native functions can be (indirectly) called with attacker-controlled data.

For example, accessing `chrome.webstore.onDownloadProgress` causes e.g. the `lastError` resource to be loaded. Intercepting the `run` function and calling it with certain arguments causes e.g. the `bindings` resource to be loaded. The `Binding.prototype.generate` function in `bindings` can be intercepted and then called with a certain `this` value to enter the function `createCustomType`. This function calls `require` with an attacker-controlled argument. This means other resources can be loaded (e.g. `webView`) which give access to some new native functions (e.g. `WebViewImpl.prototype.makeElementFullscreen`, which allows a gesture-required function to be called without a gesture).

I am not sure of a proper fix. The `exports` object in the resources system can be set to an `Object.create(null)` object so that it does not inherit from `Object.prototype`, but it would still be possible to intercept `bar` when code such as `Foo.prototype.bar = ...` is executed.

VERSION
Chrome Version: In the above list, "Stable" refers to 41.0.2272.89 m, and "Canary" refers to 43.0.2338.1 canary SyzyASan
Operating System: Windows 8.1 64-bit

REPRODUCTION CASE
I am afraid the attachments are a bit dirty; they are such that certain code paths are triggered in the resources. Please let me know if they are not clear.

 
incognito.html
2.5 KB View Download
bindtogc.html
1.8 KB View Download
gesture.html
2.5 KB View Download
blob.html
4.0 KB View Download
Comment 1 by kenrb@chromium.org, Mar 20 2015
Labels: Security_Severity-Medium Security_Impact-Stable Pri-1 OS-All
Owner: danno@chromium.org
Status: Assigned
Thanks for the report. Interesting find.

danno@: This is a bindings issue, do you know who might be a good owner for this?
Comment 2 by kenrb@chromium.org, Mar 20 2015
Labels: M-42
Cc: danno@chromium.org
Owner: jochen@chromium.org
PTAL
Owner: kalman@chromium.org
Project Member Comment 5 by clusterf...@chromium.org, Apr 10 2015
Labels: Nag
kalman@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 6 by clusterf...@chromium.org, May 4 2015
kalman@: Uh oh! This issue is still open and hasn't been updated in the last 44 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org hablich@chromium.org
Labels: reward-topanel
@kalman - do you have bandwidth to get this fixed in the next week or so?

@hablich - pending kalman's availability, may need you to find another owner.
Cc: haraken@chromium.org miket@chromium.org
As this is a ChromeExtension issue I don't know if I can be of much help here. I added Miket@ and haraken@ on CC, maybe they know a good owner.
Comment 9 by miket@chromium.org, May 11 2015
Cc: meacer@chromium.org asargent@chromium.org
Project Member Comment 10 by clusterf...@chromium.org, May 15 2015
Labels: -M-42 M-43
Cc: kalman@chromium.org
Owner: jleichtling@chromium.org
kalman says he does not have cycles to work on this now.  It's basically the same bug as  https://crbug.com/471523 .  Assigning to jleichtling to find a new owner.
Blockedon: chromium:490320
Labels: Cr-Platform-Extensions-API
Paraphrasing from jleichtling:

"Kalman he created the blocking bug crbug.com/490320 that provides a good explanation of the work that needs to be done. So there's a question of the priority for the general fix, which is quite a lot of effort
Cc: -hablich@chromium.org
Project Member Comment 16 by clusterf...@chromium.org, Jun 11 2015
jleichtling@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
This extension is blocked on issue 490320, in which we discuss a general class of security issues caused by monkey patching extension APIs implemented in JS.
Cc: dmazz...@chromium.org
Project Member Comment 19 by clusterf...@chromium.org, Jul 10 2015
Labels: -M-43 M-44
jleichtling@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Assigning to Kalman as I'm transitioning roles in ~3 weeks. Update in #17 still holds.
Comment 21 by wfh@chromium.org, Jul 20 2015
Labels: M-46
Project Member Comment 22 by clusterf...@chromium.org, Aug 5 2015
kalman@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 23 by clusterf...@chromium.org, Aug 26 2015
kalman@: Uh oh! This issue is still open and hasn't been updated in the last 42 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 24 by clusterf...@chromium.org, Sep 16 2015
kalman@: Uh oh! This issue is still open and hasn't been updated in the last 63 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 25 by clusterf...@chromium.org, Oct 8 2015
kalman@: Uh oh! This issue is still open and hasn't been updated in the last 85 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: -kalman@chromium.org
Owner: rdevlin....@chromium.org
Status: Untriaged
Project Member Comment 27 by clusterf...@chromium.org, Oct 16 2015
Labels: Untriaged-70
Status: Assigned
Project Member Comment 29 by clusterf...@chromium.org, Oct 29 2015
rdevlin.cronin@: Uh oh! This issue is still open and hasn't been updated in the last 106 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Labels: -M-46 M-48
Updating milestone label to M-48 since this is still blocked by issue 490320.
Project Member Comment 31 by clusterf...@chromium.org, Nov 19 2015
rdevlin.cronin@: Uh oh! This issue is still open and hasn't been updated in the last 127 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 32 by clusterf...@chromium.org, Dec 11 2015
rdevlin.cronin@: Uh oh! This issue is still open and hasn't been updated in the last 149 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
The root cause of this vulnerability is the same as crbug.com/546677, which has been fixed.  I haven't yet got around to combing through the various pieces of this to make sure *everything* we were doing wrong is better, but this is no longer an active vulnerability and no longer repros.

(Note: like this, issue 546677 has multiple pieces and is still open, but again, the main vulnerability has been fixed.)
Project Member Comment 34 by clusterf...@chromium.org, Jan 5 2016
rdevlin.cronin@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 35 by clusterf...@chromium.org, Jan 26 2016
rdevlin.cronin@: Uh oh! This issue is still open and hasn't been updated in the last 42 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 36 by clusterf...@chromium.org, Feb 17 2016
rdevlin.cronin@: Uh oh! This issue is still open and hasn't been updated in the last 64 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 37 by clusterf...@chromium.org, Mar 3 2016
Labels: -M-48 M-49
Labels: -M-49 M-51
rdevlin.cronin@, seems issue issue 546677 is closed. Shall we close this one as well? 
Labels: -M-51 M-49
Cc: -miket@chromium.org
Project Member Comment 41 by clusterf...@chromium.org, Mar 10 2016
rdevlin.cronin@: Uh oh! This issue is still open and hasn't been updated in the last 86 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Status: Fixed
None of these cases reproduce anymore as a result of our bindings hardening.  There's probably some more somewhere (Yay inherently monkey-patchable JS!), but I'm going to close this bug.
Project Member Comment 43 by clusterf...@chromium.org, Mar 11 2016
Labels: -Restrict-View-SecurityTeam Merge-Triage M-50 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Comment 44 by pim...@live.nl, Mar 24 2016
I do not have access to issue 546677, but I do see a corresponding CL [1] with the `exports.$set` change. I am afraid that CL doesn't completely fix the vulnerability I reported here.

Some modules such as the webstore one don't use `$set`. Moreover, inside `binding.js`, `Binding.create` is still set the regular way. Thus, I can overwrite `Binding.create` and subsequently also `Binding.prototype.generate`. Quite some modules do `exports.$set('binding', binding.generate())`, and so I can still get those modules. In particular, I can still obtain the `test` module and thereby obtain the module system (e.g. `requireNative`) like I did for  issue 497507  and issue 504011 (those specific issues are fixed, though).

In fact, I found two new exploits using `requireNative`, in `guest_view_internal_custom_bindings.cc` (see attachments):

 - Browser crash in `RegisterView`. My guess is that it is a CHECK in browser code [2] but I did not confirm this. So it likely is not a security vulnerability, but nevertheless nasty.

 - Cross-origin object sharing. However, both websites (victim and attacker) need to exploit the bug, so usability is limited. The trick here is to leverage `weak_view_map`, which is a per-renderer map of integers to JavaScript objects. If two websites are in the same renderer, website A can put something in the map (through `RegisterView`) and website B can fetch it (through `GetViewByID`).

 [1] https://chromium.googlesource.com/chromium/src/+/83a4b3aa72d98fe4176b4a54c8cea227ed966570
 [2] https://code.google.com/p/chromium/codesearch#chromium/src/components/guest_view/browser/guest_view_manager.cc&l=295

crossorigin_parent.html
2.7 KB View Download
crossorigin_child.html
2.8 KB View Download
crash.html
2.5 KB View Download
Project Member Comment 45 by bugdroid1@chromium.org, Mar 28 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/180e7e74926ea32ac039821926542452d1201c5e

commit 180e7e74926ea32ac039821926542452d1201c5e
Author: rdevlin.cronin <rdevlin.cronin@chromium.org>
Date: Mon Mar 28 19:34:12 2016

[Extensions] More bindings hardening

Revision 83a4b3aa72d98fe4176b4a54c8cea227ed966570 missed a few
(c/r/resources/extensions).

BUG= 468931 
BUG=591164

Review URL: https://codereview.chromium.org/1840453002

Cr-Commit-Position: refs/heads/master@{#383541}

[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/app_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/automation/automation_node.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/automation_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/browser_action_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/cast_streaming_receiver_session_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/cast_streaming_rtp_stream_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/cast_streaming_session_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/cast_streaming_udp_transport_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/certificate_provider_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/chrome_direct_setting.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/chrome_setting.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/content_setting.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/declarative_content_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/desktop_capture_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/developer_private_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/downloads_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/enterprise_platform_keys/internal_api.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/enterprise_platform_keys_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/feedback_private_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/file_browser_handler_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/file_entry_binding_util.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/file_manager_private_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/file_system_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/file_system_provider_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/gcm_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/identity_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/image_writer_private_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/input.ime_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/log_private_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/media_galleries_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/notifications_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/notifications_test_util.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/omnibox_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/page_action_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/page_capture_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/platform_keys/get_public_key.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/platform_keys/internal_api.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/platform_keys/key.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/platform_keys/utils.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/platform_keys_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/sync_file_system_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/system_indicator_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/tab_capture_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/tabs_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/tag_watcher.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/tts_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/tts_engine_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/web_view/chrome_web_view_internal_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/webrtc_desktop_capture_private_custom_bindings.js
[modify] https://crrev.com/180e7e74926ea32ac039821926542452d1201c5e/chrome/renderer/resources/extensions/webstore_custom_bindings.js

Comment 46 by pim...@live.nl, Mar 30 2016
Thanks for the fix. However, I'm afraid the fix is not complete.

The ability to install setters on `exports` objects is not essential. Rather, (almost) *any* assignment of the form `obj.foo = bar` in the modules can make those modules call into the attacker's script. The `Binding.create` assignment in binding.js is of this form, and it turns out that assignment is sufficient to obtain `requireNative`.

See simplified attachment (warning: crashes the browser).
crash.html
1.6 KB View Download
Comment 47 by pim...@live.nl, Apr 13 2016
I saw commit [1], which makes it harder to exploit this bug. But exploiting is still possible.

Binding.prototype.generate calls runHooks_ at the end, which calls each customHooks_ function with the schema object. By intercepting customHooks_ and adding a custom hook in that array, the schema's context is leaked to the attacker. So, we can add getters to that context's Object.prototype, and then call Binding.prototype.generate. That function is now fooled by the getters, and with some additional trickery it can be fooled into loading the test module, and we can obtain requireNative as usual. See modified attachment for the browser crash.

PS: I wonder what those other bugs related to extension bindings are about. Did others find the same bug? (I don't have access to them.) I found that issue 497597 (a special case of this one) was accidentally published. It seems to me that others could have been using my PoC.

 [1] https://chromium.googlesource.com/chromium/src/+/c089219d5f8794747f7ab7b966b4676f49532e1f
crash.html
2.1 KB View Download
Comment 48 by pim...@live.nl, Apr 13 2016
(Sorry, that should read " issue 497507 ".)
Project Member Comment 49 by sheriffbot@chromium.org, Apr 14 2016
Labels: -M-49
Labels: -reward-topanel reward-unpaid reward-1000
Status: Assigned
Pim - as an update, we're going to pay you $1,000 for the initial report and we'll keep this open for further work (and possibly further rewards).

rdevlin.cronin@ - can you please address Pim's comment at #47? Marking this as assigned so that it pops up on your radar.
@50,47 - The general problem here is that our bindings leaked to the web page in multiple ways.  There's quite a bit of ongoing work to address all these issues.  I'll circle back to these once we've done a bit more so as to not prematurely mark them as fixed. :)
Labels: -reward-unpaid reward-inprocess
Project Member Comment 53 by clusterf...@chromium.org, Apr 23 2016
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz
Status: Started
Clusterfuzz - see comment 51.
Project Member Comment 55 by clusterf...@chromium.org, Apr 23 2016
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz
Labels: wip
Status: Started
Project Member Comment 58 by clusterf...@chromium.org, Apr 26 2016
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz
Status: Started
Project Member Comment 60 by clusterf...@chromium.org, Apr 26 2016
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz
Clusterfuzz is going haywire on this issue.  For all humans, note this isn't fully fixed.
Labels: -Merge-Triage
mbarbella@ to the rescue - it's the merge-triage label.
Status: Started
rdevlin - please make sure to re-add Merge-Triage when the bug is finally fixed.
Comment 64 by vakh@chromium.org, May 23 2016
Cc: vakh@chromium.org
rdevlin.cronin@: Any update on this bug? Would it be possible to get this fixed soon? Thanks!
Project Member Comment 65 by sheriffbot@chromium.org, May 26 2016
Labels: -M-50 M-51
If we look at this as specific attacks, then this is fixed through a series of patches to harden our extension bindings.  However, there is still ongoing work in this area to make them even better and harder to exploit (most of that works is tracked in issue 591164).

Security folks, do you have a preference of whether to close this issue (which no longer reproduces) as fixed, dupe it into the meta issue, or something else?
Comment 67 by vakh@chromium.org, May 26 2016
Status: Fixed
I'd say that if the issue reported in this bug is fixed, and the rest of the work is being tracked through issue 591164, then it is best to mark this particular issue as fixed, which is what I am going to do.

If anyone disagrees, please feel free to re-open.
Labels: reward-topanel Release-1-M51
Sending this to the panel again
rdevlin - question from the reward panel:

#66, does that comment consider the test case at #47? Want to double check that we're not missing anything before we treat this as closed.
Comment 70 by vakh@chromium.org, Jun 1 2016
Cc: -vakh@chromium.org
Labels: -Release-1-M51
removing release label as unsure if this is actually fixed. Once we have an answer, we can mention this in the release notes.
@71, yes, the exploit in #47 is also fixed.
Labels: -reward-1000 -reward-inprocess reward-3000 reward-unpaid
Yea! The rewards panel has awarded an additional $2,000 since there were multiple security bugs reported.
Labels: -reward-topanel
Labels: -reward-unpaid reward-inprocess
Project Member Comment 76 by sheriffbot@chromium.org, Sep 2 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Release-1-M51
Putting back release label per #72
Labels: CVE-2016-5173
Project Member Comment 79 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 80 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment