New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 597532 link

Starred by 1 user
Status: Fixed
Owner:
dcheng@chromium.org
Closed: Mar 2016
Cc:
japhet@chromium.org
sshruthi@chromium.org
creis@chromium.org
tinazh@chromium.org
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Universal XSS using a FrameNavigationDisabler bypass

Reported by marius.mlynski@gmail.com, Mar 24 2016 
VULNERABILITY DETAILS
When a top-level navigation is triggered on a frame displaying the initial empty document, FrameLoader::load is invoked directly:

----------------
void LocalFrame::navigate(Document& originDocument, const KURL& url, bool replaceCurrentItem, UserGestureStatus userGestureStatus)
{
(...)
    if (isMainFrame() && !m_loader.stateMachine()->committedFirstRealDocumentLoad()) {
        FrameLoadRequest request(&originDocument, url);
        request.resourceRequest().setHasUserGesture(userGestureStatus == UserGestureStatus::Active);
        m_loader.load(request);
    } else {
        m_navigationScheduler->scheduleLocationChange(&originDocument, url.getString(), replaceCurrentItem);
    }
} 
----------------

As a result, FrameNavigationDisabler will fail to prevent the navigation when the URL is loaded synchronously.

VERSION
Chrome 49.0.2623.87 (Stable)
Chrome 50.0.2661.49 (Beta)
Chrome 51.0.2687.0 (Dev)
Chromium 51.0.2690.0 + Pepper Flash (Release build compiled today)
exploit.zip
2.6 KB Download

Comment 1 by wfh@chromium.org, Mar 24 2016

Cc: creis@chromium.org japhet@chromium.org nasko@chromium.org
Components: UI>Browser>Navigation
Owner: dcheng@chromium.org
Looks like something happening in navigation here, but I can't get the attached exploit to actually trigger. dcheng - Can you take a look?

Comment 2 by dcheng@chromium.org, Mar 24 2016 

I'm unable to repro the test case with 50.0.2652.0 (Official Build) dev-m (64-bit): I just get the alert "this should never happen", even if I increased the timeout before calling go().

I have plugins unconditionally allowed, so I'm not sure what else I'm missing.

Comment 3 by marius.mlynski@gmail.com, Mar 24 2016 

This is odd, I haven't seen a single failure in the testing phase (all versions, Linux/Windows/VM/no VM, over 100 runs). I assume you're running the exploit from an HTTP server, can you verify that |location.href.split('exploit.html')[0] + 's.swf'| matches the actual location of the swf file? I'll have a closer look tomorrow and try to provide a debug version to pinpoint the problem.

Comment 4 Deleted

Comment 5 by wfh@chromium.org, Mar 25 2016

Labels: Security_Severity-High Security_Impact-Stable
I can get the alert from the test target domain when running off a web server.
Project Member

Comment 6 by ClusterFuzz, Mar 25 2016

Labels: Pri-1
Status: Assigned (was: Unconfirmed)
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 25 2016

Labels: M-49

Comment 8 by dcheng@chromium.org, Mar 28 2016 

For future reference, the easiest way to test with PPAPI flash:
out/Release/chrome --ppapi-flash-path=/opt/google/chrome-unstable/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.193
Project Member

Comment 9 by bugdroid1@chromium.org, Mar 29 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f93a0e557dd97cc83d8b55953c2f57c5e2dfe07b

commit f93a0e557dd97cc83d8b55953c2f57c5e2dfe07b
Author: dcheng <dcheng@chromium.org>
Date: Tue Mar 29 00:16:20 2016

Always ignore navigation in Document::detach() in LocalFrame::navigate()

We already checked that FrameNavigation is enabled before trying to
schedule a LocationChange; however, it was possible to construct a
scenario with an opened window that would use the sync loading path and
bypass this check.

BUG= 597532 

Review URL: https://codereview.chromium.org/1840813002

Cr-Commit-Position: refs/heads/master@{#383627}

[modify] https://crrev.com/f93a0e557dd97cc83d8b55953c2f57c5e2dfe07b/third_party/WebKit/Source/core/frame/LocalFrame.cpp

Comment 10 by dcheng@chromium.org, Mar 29 2016

Status: Fixed (was: Assigned)

Comment 11 by dcheng@chromium.org, Mar 29 2016

Labels: Merge-Request-49
Project Member

Comment 12 by ClusterFuzz, Mar 29 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 13 by tin...@google.com, Mar 29 2016

Labels: -Merge-Request-49 Merge-Review-49 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M49), manual review required.

Comment 14 by timwillis@google.com, Apr 4 2016

Cc: tinazh@chromium.org sshruthi@chromium.org
Labels: Merge-Request-50
tinazh@ / sshruthi@ - please approve for M49 (as there's likely to be one next week AFAICT) and M-50.

Comment 15 by tin...@google.com, Apr 4 2016

Labels: -Merge-Request-50 Merge-Approved-50 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M50 (branch: 2661)

Comment 16 by dcheng@chromium.org, Apr 5 2016 

I think this patch may be superseded by https://codereview.chromium.org/1858833003. Let me see how the review on that goes.

Comment 17 by sshru...@google.com, Apr 5 2016

Labels: -Merge-Review-49 Merge-Approved-49
Merge approved for M49 (branch 2623)

Comment 18 by dcheng@chromium.org, Apr 5 2016

Labels: -Merge-Approved-49 -Merge-Approved-50 -Hotlist-Merge-Approved -M-49 -Hotlist-Merge-review
I'm clearing the merge requests on this. We should merge the fix in 600182 instead, as it addresses this bug as well as the new UXSS.

Comment 19 by timwillis@google.com, May 23 2016

Labels: reward-topanel Release-0-M51

Comment 20 by timwillis@google.com, May 25 2016

Labels: -reward-topanel reward-unpaid CVE-2016-1673 reward-7500
14rrwu.jpg
79.0 KB View Download

Comment 21 by marius.mlynski@gmail.com, May 25 2016 

:D Thanks!

Comment 22 by timwillis@google.com, Jun 17 2016

Labels: reward-inprocess

Comment 23 by timwillis@google.com, Jun 17 2016

Labels: -reward-unpaid
Project Member

Comment 24 by sheriffbot@chromium.org, Jul 5 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 26 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 27 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 28 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment