Issue metadata
Sign in to add a comment
|
Security: router web UI compromise via cache poisoning |
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
If a user uses the same Chrome profile when using an untrusted network and when using a home network, an attacker who controls the untrusted network can gain access to the web UI of the home network's router, assuming that the router's web interface doesn't use HTTPS and the attacker can guess the router's IP address. If the router either has no password set or the user types in the router password while trying to legitimately access the router's web interface, the attacker can reconfigure the router.
This is possible because http://{x}:{y}/ in an untrusted network has the same origin as http://{x}:{y}/ in a trusted network, so an attacker can be same-origin with a router webinterface on another network.
Steps of the attack, assuming that the web interface is password-protected and the router is a Fritzbox:
1. While the user is connected to the untrusted network and accessing a website over HTTP, the attacker injects <iframe src="http://192.168.178.1/js/ready.js"></iframe> into the website.
2. When Chrome requests http://192.168.178.1/js/ready.js, the attacker replies with a malicious script, with HTTP headers that cause it to be cached.
3. Later, when the user is on their home network, they navigate to the router's web interface at http://192.168.178.1/ in order to change some setting. http://192.168.178.1/ includes the script http://192.168.178.1/js/ready.js.
4. Chrome uses the cached, malicious copy of http://192.168.178.1/js/ready.js instead of the real ready.js.
5. The user types in the password, and the malicious copy of ready.js can log the password and access the router's webinterface.
(Of course, this also applies to other local webservers that are reachable via HTTP - I have no idea whether that's a common thing in enterprise environments or so, I only know that it's common in home routers.)
VERSION
Chrome Version: 57.0.2987.110 stable
Operating System: Ubuntu
REPRODUCTION CASE
- Launch an Apache httpd with cgi enabled.
- Save the following as /usr/lib/cgi-bin/cacheme.js:
#!/bin/sh
echo 'Status: 200 OK'
echo 'Cache-Control: max-age=31556926'
echo ''
echo 'alert("evil cached script");'
- Make /usr/lib/cgi-bin/cacheme.js executable.
- Save the following as /var/www/test.html:
<script src="/cgi-bin/cacheme.js"></script>
- Navigate to http://a.b.c.d/test.html, where a.b.c.d is your machine's external IP address.
- Close the browser.
- Replace the alert("evil cached script") in /usr/lib/cgi-bin/cacheme.js with alert("good script")
- Start the browser, navigate to http://a.b.c.d/test.html again.
Expected result: An alert box with "good script"
Actual result: An alert box with "evil cached script"
,
Mar 28 2017
Other variations: 1. If the user's local service has any localStorage, indexedDB, cookies, etc, those can be stolen by the attacking service. 2. If the user had stored credentials in their password manager, those could be at risk (we have a few mitigations that might protect automated groveling, but inadvertent user-interaction might foil them)
,
Mar 29 2017
elawrence: Regarding c#1, to work without MITM, does that mean that the attacker must control both the router and the website that the user is browsing? I'm not clear on how that works otherwise. This is plausible for a captive portal, but that is already a MITM.
,
Mar 29 2017
Re #3: In the attack scenario, the attacker controls two different endpoints: 1. Some endpoint that the user is deliberately browsing 2. An endpoint with a private IP address that matches the private IP address to attack on the user's home/private network My point that the attacker need not be a MiTM is that the victim could be browsing the attacker's site directly, so the attacker need not do on-the-fly modification of any third-party pages (as in step #1 of the original report). Having a MiTM position provides the benefit that the attacker need not entice the user to visit his site, he can MiTM inject into any other HTTP page the user happens to load.
,
Mar 30 2017
,
Apr 3 2017
,
Apr 4 2017
I think this is related to https://crbug.com/378566, but I'm not an expert. Assigning to mkwst for triage.
,
Apr 4 2017
It's similar to 378566, but even after that change is in place, the attacker would just serve a CORS policy from their private IP, enabling their poisoned resource to be cached for later reuse. That later reuse would be same-origin to the router page and this CORS restrictions wouldn't come into play.
,
Apr 4 2017
Comment 8 is correct. Limiting access to internal IP ranges as in 378566 will not address the scenario outlined here, as the attacker would simply allow access to their attack pages.
Comment 1 is also correct. RFC1918 IP addresses are not unique, and are completely dependent on the user's network environment. I can think of draconian ways of addressing the cache problem ("don't cache resources for RFC1918 addresses", for instance), and even more draconian ways of addressing the active page/frame porblem from comment 1 ("reload RFC1918 pages whenever the local IP address changes", for example), but I'm not sure how to evaluate whether those are reasonable solutions.
I think I agree, however, that it's reasonable to treat them differently to "normal" DNS names.
,
Apr 4 2017
,
Apr 4 2017
,
Apr 5 2017
+ some network folks for their thoughts.
,
Apr 10 2017
Ping - any thoughts here would be much appreciated.
,
Apr 10 2017
I'm unsure if there's a specific request? I have no (new) thoughts to share. Everything described is working as intended, from a spec point of view, and any divergence would be a divergence from spec behaviour.
Various behaviours:
- Don't cache resources for HTTP pages. Full stop. There's no way to guarantee the authenticity of the request to support its persistence.
- Breaks the web.
- But prevents others from breaking it.
- Don't cache resources for "Internal" pages
- Lack a definition of internal (is it just the IP? Is it "resolves to that IP?")?
- This would fundamentally change how the Fetch spec works w/r/t loading behaviours, which would affect all Chrome loads anyways
- Doesn't meaningfully address the problem for other forms of HTTP resources
- A reasonable question about the 'priority' of this related to other efforts. Is this meaningfully moving the security bar forward?
- Declare it as a WontFix/WorkingAsIntended - a known issue with the flaws of HTTP
I defer to OWP-Security on this. I don't really think it's network related at all. HTTP is bad, and if you're in a privileged position on the network - whether it's responding to local IP addresses or the ability to MITM HTTP - then all bets are over. Any changes here really go into the Blink loading side (I think), minimally because it involves the Fetch spec which is more in the //content and Blink-side.
,
Apr 11 2017
c#14: thanks for the thoughts. This helps a lot. I'm going to WontFix this for now and open it up. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Mar 28 2017Components: Blink>SecurityFeature>SameOriginPolicy
Labels: OS-All