New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 627299 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Proxy settings persists from guest mode

Reported by resea...@nightwatchcybersecurity.com, Jul 12 2016

Issue description

VULNERABILITY DETAILS
Setting a proxy for a network in guest mode persists even after guest mode. This is for both entering a proxy in the network settings or entering a Proxy auto config file path (PAC). This affects ChromeOS on the login screen until the user either logs in or enters guest mode.

We saw the following URLs:
http://www.gstatic.com/generate_204

http://clients1.google.com/tools/pso/ping?as=chromeos&brand=ACAC&pid=&hl=en&events=CAI,CBI,CCI,CAS,CCS&rep=2&rlz=CA:,CB:,CC:

http://www.gstatic.com/chrome/crlset/3118/crl-set-14826047662225654750.crx.data

If a proxy is setup for all protocols, even SSL traffic was observed going through the proxy although it will probably will use CA verification to avoid MITM.

VERSION
Chrome Version: 51.0.2704.106 (stable)
Operating System: ChromeOS 8172.62.0 (stable)

REPRODUCTION CASE
1. Setup a proxy on the local LAN.
2. Login as guest.
2. Set a proxy in the shared network pointing to the proxy.
3. Restart but do not login.
4. Observe proxy calls.

Alternatively, you can put in a PAC file and observe requests to it after reboot.

(somewhat related to https://bugs.chromium.org/p/chromium/issues/detail?id=600194)

 
Cc: asanka@chromium.org jar@chromium.org mmenke@chromium.org
Components: Internals>Network>Proxy
Labels: Security_Impact-Stable OS-Chrome
CC-ing some net OWNERS.

Comment 3 by mmenke@chromium.org, Jul 13 2016

Components: OS>Systems>Network
I don't think the network stack team owns the proxy configuration UI on ChromeOS - on all other platforms, we use the platform config, so this is unique ChromeOS code, and unique ChromeOS UI, none of it in net/, ProfileIOData, or IOThread.

Comment 4 by ta...@google.com, Jul 13 2016

Labels: Security_Severity-High
To clarify - the proxy settings only persist during the login screen, once a user logs in or the guest logs the proxy settings become disabled. But they do persist even after a reboot.
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 14 2016

Labels: M-51
Project Member

Comment 7 by sheriffbot@chromium.org, Jul 14 2016

Labels: Pri-1

Comment 8 by ta...@google.com, Jul 15 2016

Cc: bartfab@chromium.org wad@chromium.org
bartfab@ and wad@, I wonder if you have insight about this. Thanks1

Comment 9 by ta...@google.com, Jul 18 2016

ping
Labels: -Security_Severity-High Security_Severity-Low
Project Member

Comment 11 by sheriffbot@chromium.org, Jul 19 2016

Labels: -Pri-1 Pri-2
Owner: bartfab@chromium.org
Status: Assigned (was: Unconfirmed)
This is very similar to #600195, except that the other one persists even after login.
Project Member

Comment 14 by sheriffbot@chromium.org, Jul 21 2016

Labels: -M-51 M-52
Components: Enterprise
Owner: ----
Status: Available (was: Assigned)
I don't work on Chrome OS anymore. Adjusting tags to make sure this gets picked up by our triage rotation.
Status: WontFix (was: Available)
Closing WAI per https://bugs.chromium.org/p/chromium/issues/detail?id=600195#c13
 Issue 600195  is security restricted (As is this one).  If both are WAI, should probably open them up to the public.
Labels: -Restrict-View-SecurityTeam
Yup, I forgot to lift the restriction. Fixed.
Cc: ya...@nightwatchcybersecurity.com

Sign in to add a comment