New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Feb 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment

Security: Universal XSS using Flash message loop

Reported by marius.mlynski@gmail.com, Dec 14 2015

Issue description

VULNERABILITY DETAILS
From /content/renderer/pepper/ppb_flash_message_loop_impl.cc:
----------------
int32_t PPB_Flash_MessageLoop_Impl::InternalRun(
    const RunFromHostProxyCallback& callback) {
(...)
  // It is possible that the PPB_Flash_MessageLoop_Impl object has been
  // destroyed when the nested message loop exits.
  scoped_refptr<State> state_protector(state_);
  {
    base::MessageLoop::ScopedNestableTaskAllower allow(
        base::MessageLoop::current());
    base::MessageLoop::current()->Run();
  }
(...)
}
----------------

|PPB_Flash_MessageLoop_Impl::InternalRun| doesn't initialize a ScopedPageLoadDeferrer before spinning an event loop. As a result, cross-origin documents can be loaded at an arbitrary javascript execution point.

VERSION
Chrome 47.0.2526.80 (Stable)
Chrome 48.0.2564.41 (Beta)
Chrome 49.0.2587.3 (Dev)
Chromium 49.0.2591.0 + Pepper Flash (Release build compiled today)
 
exploit.zip
2.6 KB Download

Comment 1 by jsc...@chromium.org, Dec 14 2015

Cc: jecl...@adobe.com lafo...@chromium.org
Owner: natashenka@google.com
natashenka@ - Would you mind verifying this report?
I tested the PoC and it works. This appears to be a Chrome issue as opposed to a Flash issue, so I did not report it to Adobe. 
Project Member

Comment 3 by ClusterFuzz, Dec 14 2015

Status: Assigned

Comment 4 by jsc...@chromium.org, Dec 16 2015

Cc: ihf@chromium.org raymes@chromium.org natashenka@google.com bbudge@chromium.org
Labels: M-48 Security_Severity-High Security_Impact-Stable Pri-1
Owner: ----
Status: Available
Okay, adding a few CCs to figure out who can own this and fix it.

Comment 5 by rsesek@chromium.org, Dec 20 2015

Cc: -raymes@chromium.org
Labels: Cr-Internals-Plugins-Pepper
Owner: raymes@chromium.org
Status: Assigned
raymes: Can you please take a look at this issue?
Project Member

Comment 6 by ClusterFuzz, Dec 29 2015

Labels: Nag
raymes@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: jochen@chromium.org
Owner: yzshen@chromium.org
I don't know much about this code or the exploit in question. 

yzsehn@ wrote the original code for the message loop so he would be more familiar with that part. I'm not sure who is familiar with ScopedPageLoadDeferrer and if/how this could be used to fix the problem. jochen@ may have an idea.
Could you please update the description with the expected/actual output of the test case?

Thanks!
The actual output is an alert dialog from https://abc.xyz, expected is the lack of it (maybe a single print dialog will pop up). Please find attached a minimized proof of concept that shows the gist of the problem and adds some comments for clarity.
poc.zip
3.7 KB Download
Thanks, marius.mlynski.

FYI, I have a CL under review which passes your test case.
Project Member

Comment 11 by ClusterFuzz, Jan 20 2016

yzshen@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 12 by ClusterFuzz, Feb 3 2016

yzshen@: Uh oh! This issue is still open and hasn't been updated in the last 28 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 14 by laforge@google.com, Feb 11 2016

Labels: Merge-Request-49
I'm making the assumption that Clusterfuzz is going to ask for this to get Merge-Requested to M49, but... in the event that I'm wrong.

Comment 15 by tin...@google.com, Feb 11 2016

Labels: -Merge-Request-49 Merge-Approved-49 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M49 (branch: 2623)
Project Member

Comment 16 by ClusterFuzz, Feb 11 2016

Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz
Project Member

Comment 17 by ClusterFuzz, Feb 11 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 18 by bugdroid1@chromium.org, Feb 11 2016

Labels: -Merge-Approved-49 merge-merged-2623
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8093f1f141848e3672ef778764c18e844f1e5198

commit 8093f1f141848e3672ef778764c18e844f1e5198
Author: Yuzhu Shen <yzshen@chromium.org>
Date: Thu Feb 11 17:18:46 2016

Fix PPB_Flash_MessageLoop.

This CL suspends script callbacks and resource loads while running nested message loop using PPB_Flash_MessageLoop.

BUG= 569496 

Review URL: https://codereview.chromium.org/1559113002

Cr-Commit-Position: refs/heads/master@{#374529}
(cherry picked from commit dd77c2a41c72589d929db0592565125ca629fb2c)

Review URL: https://codereview.chromium.org/1691513004 .

Cr-Commit-Position: refs/branch-heads/2623@{#365}
Cr-Branched-From: 92d77538a86529ca35f9220bd3cd512cbea1f086-refs/heads/master@{#369907}

[modify] http://crrev.com/8093f1f141848e3672ef778764c18e844f1e5198/chrome/test/ppapi/ppapi_browsertest.cc
[modify] http://crrev.com/8093f1f141848e3672ef778764c18e844f1e5198/content/renderer/pepper/ppb_flash_message_loop_impl.cc
[modify] http://crrev.com/8093f1f141848e3672ef778764c18e844f1e5198/ppapi/tests/test_flash_message_loop.cc
[modify] http://crrev.com/8093f1f141848e3672ef778764c18e844f1e5198/ppapi/tests/test_flash_message_loop.h

Project Member

Comment 19 by bugdroid1@chromium.org, Feb 15 2016

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/bling/chromium.git/+/8093f1f141848e3672ef778764c18e844f1e5198

commit 8093f1f141848e3672ef778764c18e844f1e5198
Author: Yuzhu Shen <yzshen@chromium.org>
Date: Thu Feb 11 17:18:46 2016

Labels: reward-topanel Release-0-M49
Labels: -reward-topanel reward-unpaid reward-7500
Congrats again - $7,500 for this report. I want you to keep these UXSS reports coming but at the same time I also hope we can slow you down at some point :)

CVE-ID to follow.
Labels: CVE-2016-1631
CVE-2016-1631
Project Member

Comment 23 by sheriffbot@chromium.org, May 19 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: reward-inprocess
Labels: -reward-unpaid
Project Member

Comment 26 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment