Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 569496 Security: Universal XSS using Flash message loop
Starred by 2 users Reported by marius.mlynski@gmail.com, Dec 14 2015 Back to list
Status: Fixed
Owner:
Closed: Feb 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment
VULNERABILITY DETAILS
From /content/renderer/pepper/ppb_flash_message_loop_impl.cc:
----------------
int32_t PPB_Flash_MessageLoop_Impl::InternalRun(
    const RunFromHostProxyCallback& callback) {
(...)
  // It is possible that the PPB_Flash_MessageLoop_Impl object has been
  // destroyed when the nested message loop exits.
  scoped_refptr<State> state_protector(state_);
  {
    base::MessageLoop::ScopedNestableTaskAllower allow(
        base::MessageLoop::current());
    base::MessageLoop::current()->Run();
  }
(...)
}
----------------

|PPB_Flash_MessageLoop_Impl::InternalRun| doesn't initialize a ScopedPageLoadDeferrer before spinning an event loop. As a result, cross-origin documents can be loaded at an arbitrary javascript execution point.

VERSION
Chrome 47.0.2526.80 (Stable)
Chrome 48.0.2564.41 (Beta)
Chrome 49.0.2587.3 (Dev)
Chromium 49.0.2591.0 + Pepper Flash (Release build compiled today)
 
exploit.zip
2.6 KB Download
Comment 1 by jsc...@chromium.org, Dec 14 2015
Cc: jecl...@adobe.com lafo...@chromium.org
Owner: natashenka@google.com
natashenka@ - Would you mind verifying this report?
I tested the PoC and it works. This appears to be a Chrome issue as opposed to a Flash issue, so I did not report it to Adobe. 
Project Member Comment 3 by clusterf...@chromium.org, Dec 14 2015
Status: Assigned
Comment 4 by jsc...@chromium.org, Dec 16 2015
Cc: ihf@chromium.org raymes@chromium.org natashenka@google.com bbudge@chromium.org
Labels: M-48 Security_Severity-High Security_Impact-Stable Pri-1
Owner: ----
Status: Available
Okay, adding a few CCs to figure out who can own this and fix it.
Comment 5 by rsesek@chromium.org, Dec 20 2015
Cc: -raymes@chromium.org
Labels: Cr-Internals-Plugins-Pepper
Owner: raymes@chromium.org
Status: Assigned
raymes: Can you please take a look at this issue?
Project Member Comment 6 by clusterf...@chromium.org, Dec 29 2015
Labels: Nag
raymes@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: jochen@chromium.org
Owner: yzshen@chromium.org
I don't know much about this code or the exploit in question. 

yzsehn@ wrote the original code for the message loop so he would be more familiar with that part. I'm not sure who is familiar with ScopedPageLoadDeferrer and if/how this could be used to fix the problem. jochen@ may have an idea.
Could you please update the description with the expected/actual output of the test case?

Thanks!
The actual output is an alert dialog from https://abc.xyz, expected is the lack of it (maybe a single print dialog will pop up). Please find attached a minimized proof of concept that shows the gist of the problem and adds some comments for clarity.
poc.zip
3.7 KB Download
Thanks, marius.mlynski.

FYI, I have a CL under review which passes your test case.
Project Member Comment 11 by clusterf...@chromium.org, Jan 20 2016
yzshen@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 12 by clusterf...@chromium.org, Feb 3 2016
yzshen@: Uh oh! This issue is still open and hasn't been updated in the last 28 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Comment 14 by laforge@google.com, Feb 11 2016
Labels: Merge-Request-49
I'm making the assumption that Clusterfuzz is going to ask for this to get Merge-Requested to M49, but... in the event that I'm wrong.
Comment 15 by tin...@google.com, Feb 11 2016
Labels: -Merge-Request-49 Merge-Approved-49 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M49 (branch: 2623)
Project Member Comment 16 by clusterf...@chromium.org, Feb 11 2016
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz
Project Member Comment 17 by clusterf...@chromium.org, Feb 11 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 18 by bugdroid1@chromium.org, Feb 11 2016
Labels: -Merge-Approved-49 merge-merged-2623
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8093f1f141848e3672ef778764c18e844f1e5198

commit 8093f1f141848e3672ef778764c18e844f1e5198
Author: Yuzhu Shen <yzshen@chromium.org>
Date: Thu Feb 11 17:18:46 2016

Fix PPB_Flash_MessageLoop.

This CL suspends script callbacks and resource loads while running nested message loop using PPB_Flash_MessageLoop.

BUG= 569496 

Review URL: https://codereview.chromium.org/1559113002

Cr-Commit-Position: refs/heads/master@{#374529}
(cherry picked from commit dd77c2a41c72589d929db0592565125ca629fb2c)

Review URL: https://codereview.chromium.org/1691513004 .

Cr-Commit-Position: refs/branch-heads/2623@{#365}
Cr-Branched-From: 92d77538a86529ca35f9220bd3cd512cbea1f086-refs/heads/master@{#369907}

[modify] http://crrev.com/8093f1f141848e3672ef778764c18e844f1e5198/chrome/test/ppapi/ppapi_browsertest.cc
[modify] http://crrev.com/8093f1f141848e3672ef778764c18e844f1e5198/content/renderer/pepper/ppb_flash_message_loop_impl.cc
[modify] http://crrev.com/8093f1f141848e3672ef778764c18e844f1e5198/ppapi/tests/test_flash_message_loop.cc
[modify] http://crrev.com/8093f1f141848e3672ef778764c18e844f1e5198/ppapi/tests/test_flash_message_loop.h

Project Member Comment 19 by bugdroid1@chromium.org, Feb 15 2016
The following revision refers to this bug:
  https://chrome-internal.googlesource.com/bling/chromium.git/+/8093f1f141848e3672ef778764c18e844f1e5198

commit 8093f1f141848e3672ef778764c18e844f1e5198
Author: Yuzhu Shen <yzshen@chromium.org>
Date: Thu Feb 11 17:18:46 2016

Labels: reward-topanel Release-0-M49
Labels: -reward-topanel reward-unpaid reward-7500
Congrats again - $7,500 for this report. I want you to keep these UXSS reports coming but at the same time I also hope we can slow you down at some point :)

CVE-ID to follow.
Labels: CVE-2016-1631
CVE-2016-1631
Project Member Comment 23 by sheriffbot@chromium.org, May 19 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: reward-inprocess
Labels: -reward-unpaid
Project Member Comment 26 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 27 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment