New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 668645 link

Starred by 3 users

Issue metadata

Status: Verified
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security


Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt


Sign in to add a comment

Security: CSP in WebUI can trivially be bypassed by extensions

Project Member Reported by rob@robwu.nl, Nov 25 2016

Issue description

chrome-extension: resources are not blocked by the content security policy [1]. This makes sense for regular web pages, over which extensions take priority. This is less desirable on WebUI pages, which are parts of Chrome that are more privileged than extensions.

I have found a XSS vulnerability that uses this bug to run a program outside of Chrome (to be reported separately).


This is the recipe for exploitation:
1. Create an extension with a script that you want to run (e.g. s.js), put this in web_accessible_resources.
2. Put the following in the injected HTML: <script src="chrome-extension://[extensionid]/s.js"></script>
   (If the HTML is assigned via innerHTML, put it in a <iframe srcdoc="<script>..."> to make sure that the script is parser-inserted)
3. Open the WebUI page with a XSS/HTML injection vulnerability (using the chrome.tabs.create extension API).

The above recipe even works if the CSP is default-src 'none'.

I suggest to not allow chrome-extension:-URLs to bypass CSP on WebUI pages, except possibly for URLs from component extensions (these are trusted parts of Chrome, so there is no need to block them; doing so may even break their functionality).


[1] https://www.w3.org/TR/2016/WD-CSP3-20160901/#extensions
 

Comment 1 by rob@robwu.nl, Nov 25 2016

 Bug 668653  shows an exploit where an external program (mspaint) is launched through XSS in a WebUI page.

Comment 2 by rob@robwu.nl, Nov 28 2016

Cc: jochen@chromium.org dbeam@chromium.org
Cc-ing reviewers for my patches to  bug 668653 .

Comment 3 by mkwst@chromium.org, Nov 28 2016

Cc: a...@google.com
Owner: mkwst@chromium.org
Status: Assigned (was: Unconfirmed)
There's an experiment in that prevents `chrome-extension://` URLs from automatically bypassing CSP for parser-inserted scripts like `innerHTML` (see issue 653521 and  https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp?rcl=0&l=591). Exploits like this are a good argument in favor of shipping it.

WDYT, rdevlin.cronin@?

Comment 4 by rob@robwu.nl, Nov 28 2016

Mind ccing me on bug 653521?

Comment 5 by och...@chromium.org, Nov 29 2016

Labels: Security_Severity-Low Security_Impact-Stable
Assuming this impacts Stable. I'm going to give this one a Low because of this requires an XSS on a webui page + extension to be installed.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 30 2016

Labels: Pri-2

Comment 7 by awhalley@google.com, Dec 12 2016

Labels: reward-topanel
@3 - I think that this decision can be orthogonal issue 653521.  We already (mostly) disallow script injection on chrome:// urls, so there's no reason CSP bypasses should be allowed.

Comment 9 by awhalley@google.com, Dec 16 2016

Note to VRP Panel: please consider in conjunction with 668653
Labels: -Security_Severity-Low Security_Severity-Medium
Project Member

Comment 11 by sheriffbot@chromium.org, Jan 26 2017

mkwst: Uh oh! This issue still open and hasn't been updated in the last 59 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 12 by sheriffbot@chromium.org, Jan 26 2017

Labels: M-56
Project Member

Comment 13 by sheriffbot@chromium.org, Jan 26 2017

Labels: -Pri-2 Pri-1
Labels: -M-56 M-57
Hi folks - been a while with no movement on this bug. What are the next steps here?  Mike, are you still the best owner?
Project Member

Comment 15 by sheriffbot@chromium.org, Feb 10 2017

mkwst: Uh oh! This issue still open and hasn't been updated in the last 74 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: est...@chromium.org
+estark as another CSP owner. 
Project Member

Comment 17 by sheriffbot@chromium.org, Apr 20 2017

Labels: -M-57 M-58
estark/mkwst: Any update on this issue?
I'm not that familiar with this area. Is ShouldBypassMainWorldCSP() what controls whether CSP is bypassed in this scenario? If so, is there any way in Blink to check whether a page is WebUI so that we can avoid bypassing?
Project Member

Comment 20 by sheriffbot@chromium.org, Jun 6 2017

Labels: -M-58 M-59

Comment 21 by rob@robwu.nl, Jul 12 2017

Owner: rob@robwu.nl
Status: Started (was: Assigned)
I've created a patch that implements my suggestion from the initial report:
https://chromium-review.googlesource.com/c/567499/

I wonder why the bot stopped nagging 5 months ago despite the lack of activity on this bug.
Project Member

Comment 22 by sheriffbot@chromium.org, Jul 26 2017

Labels: -M-59 M-60
Friendly security sheriff ping: it looks like the CL https://chromium-review.googlesource.com/c/567499/ has gotten stuck in review. Can we please move ahead with implementation / are there any blockers which are preventing moving ahead?
Project Member

Comment 24 by sheriffbot@chromium.org, Sep 6 2017

Labels: -M-60 M-61
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 18 2017

Labels: -M-61 M-62
Labels: Hotlist-EnamelAndFriendsFixIt
Project Member

Comment 27 by sheriffbot@chromium.org, Dec 7 2017

Labels: -M-62 M-63

Comment 29 by rob@robwu.nl, Jan 14 2018

Status: Verified (was: Started)
Verified fixed in 65.0.3322.0. Visiting chrome://version and executing the following in the JS console results in the expected error below:
var s = document.createElement('script');
s.src = 'chrome-extension://foo';
document.head.append(s);

Refused to load the script 'chrome-extension://foo/' because it violates the following Content Security Policy directive: "script-src chrome://resources 'self' 'unsafe-eval'".
Project Member

Comment 30 by sheriffbot@chromium.org, Jan 14 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 31 by rob@robwu.nl, Jan 19 2018

Labels: -M-63 M-65
Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Thanks Rob! The VRP panel awarded $500 for this report and $500 for the patch. Cheers!
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 35 by sheriffbot@chromium.org, Feb 8 2018

Labels: Merge-Request-65
Project Member

Comment 36 by sheriffbot@chromium.org, Feb 9 2018

Labels: -Merge-Request-65 Merge-Review-65 Hotlist-Merge-Review
This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
[Bulk Edit]

+awhalley@ (Security TPM) for M65 merge review
govind@ - good for 65
Labels: -Merge-Review-65 Merge-Approved-65
Approving merge to M65 branch 3325 based on comment #38. Please merge ASAP so we can pick it up for next week Beta release. Thank you.

Comment 40 by rob@robwu.nl, Feb 9 2018

Labels: -Hotlist-Merge-Review -Merge-Approved-65
No need to merge; 956801d1098d266fe794c9b1a137aadc259b84f1 is already on M65:
https://chromium.googlesource.com/chromium/src.git/+/956801d1098d266fe794c9b1a137aadc259b84f1/chrome/VERSION
Labels: Release-0-M65
Labels: CVE-2018-6070
Project Member

Comment 43 by sheriffbot@chromium.org, Apr 22 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-missing
Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment