Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Verified
Last visit 16 days ago
Closed: Nov 2016
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

Sign in to add a comment
Security: XSS in chrome://downloads, enables extensions to run any program
Project Member Reported by, Nov 25 2016 Back to list
Chrome version: 54.0.2840.90 (stable), 55.0.2883.59 (beta), 57.0.2931.0 (Canary)

There is a XSS vulnerability in chrome://downloads that allows an extension to run a program without user interaction. The only requirement is that the user installs or upgrades to a malicious extension (this is not a difficult requirement).
In fact, bug 671007 satisfies this requirement with low user interaction. Together, web pages can run arbitrary code outside Chrome with two clicks at a specfic spot in a web page.

Steps to reproduce:
1. Download, create a directory and unzip it to the directory.
2. Visit chrome://extensions, enable developer mode and load the unpacked extension.
3. Wait a little bit, observe that chrome://downloads is opened.

Now the following happens (see video):
- The PoC performs XSS in chrome://downloads
- The PoC bypasses the dangerous file check (Chrome 55+, thanks to  bug 640673 )
- The PoC launches an external program via the downloaded vbs script.

This exploit works because of multiple vulnerabilities:

### XSS in chrome://downloads
- innerHTML assignment at [1] using a variable from [2], created at [3]:
      var name =;
      return loadTimeData.getStringF('controlledByUrl', url, name);
  In the above code (from [3]), name is the extension name, which can have any value.

- So I can perform XSS in chrome://downloads by setting the extension name.

Proposed fix: Escape the name variable.

### CSP bypasses
I use bug 668645 to bypass the following Content-Security-Policy of chrome://downloads:
script-src chrome://resources 'self' 'unsafe-eval';object-src 'none';child-src 'none';

### Bypass safe browsing / dangerous file check
-  bug 640673  removed the confirmation dialogs to simplify the download flow at chrome://downloads,
  assuming that when the user wants to download the file when they click in the page.
- However, the C++-side does not perform further validations on this condition.

Proposed fix: Require a user gesture in MdDownloadsDOMHandler::HandleSaveDangerous.

### Run a program outside of Chrome
- To run a program, a user should click on a button in chrome://downloads.
- Again, there is no C++-side check that the user did really click.

Proposed fix: Require a user gesture in MdDownloadsDOMHandler::HandleOpenFile.
(and maybe as a defense in depth, also in MdDownloadsDOMHandler::HandleOpenDownloadsFolder)

2.0 KB Download
380 KB View Download
Comment 1 by, Nov 25 2016
Status: Started
[cc dbeam@ for review]

Patch to fix XSS:
Comment 2 by, Nov 25 2016
[+jochen for review too]
Patch to enforce user gesture:

Before landing the patches, vulcanize should be run - (Otherwise the changes won't make it into Chrome).
Locally I verified that either patch (after running vulcanize & compiling) breaks the exploit chain.
Project Member Comment 3 by, Nov 29 2016
The following revision refers to this bug:

commit f49156a6624e78d73636eb0f4113f541e599cefb
Author: rob <>
Date: Tue Nov 29 00:08:01 2016

Require user gesture for powerful download operations

BUG= 668653 
TEST=Manually clicking on the open download folder works,
running the test case from the bug report triggers NOTREACHED.

Cr-Commit-Position: refs/heads/master@{#434786}


Labels: Security_Impact-Stable Pri-2
Labels: Security_Severity-Medium
Adding a couple of labels. Thanks for contributing patches to this issue.
Comment 7 by, Nov 30 2016
Labels: ReleaseBlock-Stable Merge-Request-56 Merge-Request-55
Status: Verified
[+jialiul to re-assess the severity]

This allows a full sandbox bypass, requiring nothing more than having a malicious extension installed. The video did no effort at hiding how the exploit operates, but in reality the exploit can be executed without the user noticing. Exploiting this bug is easy: buy an extension with many users, publish an update that uses this bug and profit.

Escaping the sandbox from a web page is rated as critical severity ( I think that the extension requirement is not enough mitigation to drop the severity by two levels in the class, so this should be rated Security_Severity-High.

Can I merge 6d9a7916b48581f72fda060a1210ebef7f89b229 with the first release of M-55?
The patch is dead simple and cannot have undesired side effects. I verified the fix in 57.0.2937.0 on Windows (using the steps to repro from the bug). (The other patch fixes another part of the exploit chain, but if there are no other XSS issues in chrome://downloads we should be fine.)

Adding Release blocker just to make sure that this merge request is evaluated before the M-55 release.
Project Member Comment 8 by, Nov 30 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Comment 9 by, Nov 30 2016
awhalley@ for M55 merge review (FYI: We're cutting M55 Stable RC soon).
Yea, we're out of time for M55, though we should keep to the standard flow for this and consider a merge if we do a stable update later on.
Comment 11 by, Nov 30 2016
Labels: -Merge-Request-55 Merge-Review-55 Hotlist-Merge-Review
[Automated comment] Less than a week to go before stable on M55, we might already have a stable candidate build. Manual review required.
Comment 12 by, Nov 30 2016
Labels: -Merge-Request-56 Merge-Approved-56 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M56 (branch: 2924)
Comment 13 by, Nov 30 2016
Labels: -Merge-Request-55 Merge-Review-55 Hotlist-Merge-Review
[Automated comment] Less than a week to go before stable on M55, we might already have a stable candidate build. Manual review required.
Project Member Comment 14 by, Nov 30 2016
Labels: -merge-approved-56 merge-merged-2924
The following revision refers to this bug:

commit deb94aef51054feb86021d2168182caf3d26886b
Author: Rob Wu <>
Date: Wed Nov 30 22:50:51 2016

Remove XSS from chrome://downloads

BUG= 668653 

Cr-Commit-Position: refs/heads/master@{#435104}
(cherry picked from commit 6d9a7916b48581f72fda060a1210ebef7f89b229)

Review URL: .

Cr-Commit-Position: refs/branch-heads/2924@{#218}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}


Labels: M-56 M-57
Labels: reward-topanel
Comment 17 by, Dec 4 2016
How about the severity re-assessment as requested in comment 7?

I found a way to easily install extensions from a web page (bug 671007), so this effectively means that web pages can run arbitrary code outside the sandbox with minimal user interaction (e.g. double-click in a fixed location on a web page).
Comment 18 by, Dec 4 2016
Description: Show this description
Labels: -Hotlist-Merge-Approved -ReleaseBlock-Stable
Labels: -Merge-Review-55 Merge-Rejected-55
We are not planning any further M55 stable releases.
Labels: Release-0-M56
Labels: CVE-2017-5020
Labels: -reward-topanel reward-pended
We'll consider this for reward in conjunction with 668645.
Project Member Comment 24 by, Mar 8 2017
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Sign in to add a comment