Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 668653 Security: XSS in chrome://downloads, enables extensions to run any program
Starred by 2 users Project Member Reported by rob@robwu.nl, Nov 25 Back to list
Status: Verified
Owner:
Closed: Nov 30
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment
Chrome version: 54.0.2840.90 (stable), 55.0.2883.59 (beta), 57.0.2931.0 (Canary)

There is a XSS vulnerability in chrome://downloads that allows an extension to run a program without user interaction. The only requirement is that the user installs or upgrades to a malicious extension (this is not a difficult requirement).
In fact, bug 671007 satisfies this requirement with low user interaction. Together, web pages can run arbitrary code outside Chrome with two clicks at a specfic spot in a web page.


Steps to reproduce:
1. Download ext.zip, create a directory and unzip it to the directory.
2. Visit chrome://extensions, enable developer mode and load the unpacked extension.
3. Wait a little bit, observe that chrome://downloads is opened.

Now the following happens (see video):
- The PoC performs XSS in chrome://downloads
- The PoC bypasses the dangerous file check (Chrome 55+, thanks to bug 640673)
- The PoC launches an external program via the downloaded vbs script.



This exploit works because of multiple vulnerabilities:

### XSS in chrome://downloads
- innerHTML assignment at [1] using a variable from [2], created at [3]:
      var name = this.data.by_ext_name;
      return loadTimeData.getStringF('controlledByUrl', url, name);
  In the above code (from [3]), name is the extension name, which can have any value.

- So I can perform XSS in chrome://downloads by setting the extension name.

Proposed fix: Escape the name variable.


### CSP bypasses
I use bug 668645 to bypass the following Content-Security-Policy of chrome://downloads:
script-src chrome://resources 'self' 'unsafe-eval';object-src 'none';child-src 'none';



### Bypass safe browsing / dangerous file check
- bug 640673 removed the confirmation dialogs to simplify the download flow at chrome://downloads,
  assuming that when the user wants to download the file when they click in the page.
- However, the C++-side does not perform further validations on this condition.

Proposed fix: Require a user gesture in MdDownloadsDOMHandler::HandleSaveDangerous.


### Run a program outside of Chrome
- To run a program, a user should click on a button in chrome://downloads.
- Again, there is no C++-side check that the user did really click.

Proposed fix: Require a user gesture in MdDownloadsDOMHandler::HandleOpenFile.
(and maybe as a defense in depth, also in MdDownloadsDOMHandler::HandleOpenDownloadsFolder)


[1] https://chromium.googlesource.com/chromium/src/+/4a6882854516c760d962aea5924f52fd3c68184c/chrome/browser/resources/md_downloads/item.js#244
[2] https://chromium.googlesource.com/chromium/src/+/4a6882854516c760d962aea5924f52fd3c68184c/chrome/browser/resources/md_downloads/item.js#21
[3] https://chromium.googlesource.com/chromium/src/+/4a6882854516c760d962aea5924f52fd3c68184c/chrome/browser/resources/md_downloads/item.js#113
 
ext.zip
2.0 KB Download
start-mspaint.ogv
380 KB View Download
Comment 1 by rob@robwu.nl, Nov 25
Cc: dbeam@chromium.org
Owner: rob@robwu.nl
Status: Started
[cc dbeam@ for review]

Patch to fix XSS: https://codereview.chromium.org/2526323004
Comment 2 by rob@robwu.nl, Nov 25
Cc: jochen@chromium.org
[+jochen for review too]
Patch to enforce user gesture: https://codereview.chromium.org/2535483003/

Before landing the patches, vulcanize should be run - https://cs.chromium.org/chromium/src/docs/vulcanize.md (Otherwise the changes won't make it into Chrome).
Locally I verified that either patch (after running vulcanize & compiling) breaks the exploit chain.
Project Member Comment 3 by bugdroid1@chromium.org, Nov 29
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f49156a6624e78d73636eb0f4113f541e599cefb

commit f49156a6624e78d73636eb0f4113f541e599cefb
Author: rob <rob@robwu.nl>
Date: Tue Nov 29 00:08:01 2016

Require user gesture for powerful download operations

BUG= 668653 
TEST=Manually clicking on the open download folder works,
running the test case from the bug report triggers NOTREACHED.
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2535483003
Cr-Commit-Position: refs/heads/master@{#434786}

[modify] https://crrev.com/f49156a6624e78d73636eb0f4113f541e599cefb/chrome/browser/resources/md_downloads/action_service.js
[modify] https://crrev.com/f49156a6624e78d73636eb0f4113f541e599cefb/chrome/browser/resources/md_downloads/crisper.js
[modify] https://crrev.com/f49156a6624e78d73636eb0f4113f541e599cefb/chrome/browser/ui/webui/md_downloads/md_downloads_dom_handler.cc
[modify] https://crrev.com/f49156a6624e78d73636eb0f4113f541e599cefb/content/renderer/web_ui_extension.cc

Labels: Security_Impact-Stable Pri-2
Labels: Security_Severity-Medium
Adding a couple of labels. Thanks for contributing patches to this issue.
Comment 7 by rob@robwu.nl, Nov 30
Cc: jialiul@chromium.org
Labels: ReleaseBlock-Stable Merge-Request-56 Merge-Request-55
Status: Verified
[+jialiul to re-assess the severity]

This allows a full sandbox bypass, requiring nothing more than having a malicious extension installed. The video did no effort at hiding how the exploit operates, but in reality the exploit can be executed without the user noticing. Exploiting this bug is easy: buy an extension with many users, publish an update that uses this bug and profit.

Escaping the sandbox from a web page is rated as critical severity (https://www.chromium.org/developers/severity-guidelines). I think that the extension requirement is not enough mitigation to drop the severity by two levels in the class, so this should be rated Security_Severity-High.


Can I merge 6d9a7916b48581f72fda060a1210ebef7f89b229 with the first release of M-55?
The patch is dead simple and cannot have undesired side effects. I verified the fix in 57.0.2937.0 on Windows (using the steps to repro from the bug). (The other patch fixes another part of the exploit chain, but if there are no other XSS issues in chrome://downloads we should be fine.)

Adding Release blocker just to make sure that this merge request is evaluated before the M-55 release.
Project Member Comment 8 by sheriffbot@chromium.org, Nov 30
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Cc: awhalley@chromium.org
awhalley@ for M55 merge review (FYI: We're cutting M55 Stable RC soon).
Yea, we're out of time for M55, though we should keep to the standard flow for this and consider a merge if we do a stable update later on.
Labels: -Merge-Request-55 Merge-Review-55 Hotlist-Merge-Review
[Automated comment] Less than a week to go before stable on M55, we might already have a stable candidate build. Manual review required.
Labels: -Merge-Request-56 Merge-Approved-56 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M56 (branch: 2924)
Labels: -Merge-Request-55 Merge-Review-55 Hotlist-Merge-Review
[Automated comment] Less than a week to go before stable on M55, we might already have a stable candidate build. Manual review required.
Project Member Comment 14 by bugdroid1@chromium.org, Nov 30
Labels: -merge-approved-56 merge-merged-2924
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/deb94aef51054feb86021d2168182caf3d26886b

commit deb94aef51054feb86021d2168182caf3d26886b
Author: Rob Wu <rob@robwu.nl>
Date: Wed Nov 30 22:50:51 2016

Remove XSS from chrome://downloads

BUG= 668653 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2526323004
Cr-Commit-Position: refs/heads/master@{#435104}
(cherry picked from commit 6d9a7916b48581f72fda060a1210ebef7f89b229)

Review URL: https://codereview.chromium.org/2537893004 .

Cr-Commit-Position: refs/branch-heads/2924@{#218}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/deb94aef51054feb86021d2168182caf3d26886b/chrome/browser/resources/md_downloads/compiled_resources2.gyp
[modify] https://crrev.com/deb94aef51054feb86021d2168182caf3d26886b/chrome/browser/resources/md_downloads/crisper.js
[modify] https://crrev.com/deb94aef51054feb86021d2168182caf3d26886b/chrome/browser/resources/md_downloads/item.js

Labels: M-56 M-57
Labels: reward-topanel
How about the severity re-assessment as requested in comment 7?

I found a way to easily install extensions from a web page (bug 671007), so this effectively means that web pages can run arbitrary code outside the sandbox with minimal user interaction (e.g. double-click in a fixed location on a web page).
Description: Show this description
Labels: -Hotlist-Merge-Approved -ReleaseBlock-Stable
Labels: -Merge-Review-55 Merge-Rejected-55
We are not planning any further M55 stable releases.
Labels: Release-0-M56
Labels: CVE-2017-5020
Labels: -reward-topanel reward-pended
We'll consider this for reward in conjunction with 668645.
Project Member Comment 24 by sheriffbot@chromium.org, Mar 8
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment