New issue
Advanced search Search tips

Issue 673105 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: ChromeOS flaw - PoisonTap

Reported by akram992...@gmail.com, Dec 10 2016 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: [x.x.x.x] + [stable, beta, or dev]
Operating System: [Please indicate OS, version, and service pack level]

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]


Hello, i've recently installed chromeOS on my notebook and started finding some vulns, and finally i found one.
The attacker needs a 5$ raspberry zero and a micro sd.
this device emulates an Ethernet device over USB,hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface), siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites, exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding.
Installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning, allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain,does not require the machine to be unlocked, backdoors and remote access persist even after device is removed and attacker sashays away
Raspberry produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors.
Attacker plugs Raspberry into a locked computer (even if computer is password protected)
Raspberry emulates an Ethernet device and ChromeOS recognize an ethernet device, automatically loading it as a low-priority network device and performing a DHCP request across it, even when the machine is locked or password protected
Raspberry responds to the DHCP request and provides the machine with an IP address, however the DHCP response is crafted to tell the machine that the entire IPv4 space (0.0.0.0 - 255.255.255.255) is part of the Raspberry’s local network, rather than a small subnet (eg 192.168.0.0 - 192.168.0.255)
        Normally it would be irrelevant if a secondary network device connects to a machine as it will be given lower priority than the existing (trusted) network device and won’t supersede the gateway for Internet traffic, but…
Any routing table / gateway priority / network interface service order security is bypassed due to the priority of “LAN traffic” over “Internet traffic”
Raspberry exploits this network access, even as a low priority network device, because the subnet of a low priority network device is given higher priority than the gateway (default route) of the highest priority network device
This means if traffic is destined to 1.2.3.4, while normally this traffic would hit the default route/gateway of the primary (non-Raspberry) network device, Raspberry actually gets the traffic because the Raspberry “local” network/subnet supposedly contains 1.2.3.4, and every other IP address in existence ;)
        Because of this, all Internet traffic goes over Raspberry, even though the machine is connected to another network device with higher priority and proper gateway (the true wifi, ethernet, etc.)
Rasp.rar
11.5 MB Download

Comment 1 by elawrence@chromium.org, Dec 12 2016

Components: OS>Systems>Network
Summary: Security: ChromeOS flaw - PoisonTap (was: Security: ChromeOS flaw)
The claim here is basically that ChromeOS is vulnerable to PoisonTap (https://samy.pl/poisontap/).

Comment 2 by wrengr@chromium.org, Dec 12 2016

Status: WontFix (was: Unconfirmed)
The FAQ explains why physically local attacks are not within the browser's threat model:
https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-

If attackers have physical access to the device, there's little that can be done, on any OS, with any browser, for the reasons described in the FAQ.
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 21 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment