Issue metadata
Sign in to add a comment
|
Security: Potential HTTPS downgrade attacks by abusing WWW mismatch redirect
Reported by
xiaoyi...@outlook.com,
May 5 2017
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Suppose there is a website at www.A.com with the following configuration: 1. www.A.com and A.com resolve to different IP addresses 2. both www.A.com and A.com support HTTPS, but the cert for A.com is not valid for www.A.com (i.e. www.A.com isn't in the subjectAltName of this cert) 3. both www.A.com and A.com don't support HSTS 4. https://A.com/path/to/page.html redirects to http://www.A.com/path/to/page.html 5. https://www.A.com/path/to/page.html doesn't redirect to HTTP. If a user visits https://www.A.com/path/to/page.html in Chrome, a MITM attacker hijacks the DNS request for www.A.com and returns the IP address of A.com to the victim. The cert returned by A.com doesn't match www.A.com, but because of Chrome's auto-fix (introduced in Issue 507454 ), it sends a HEAD request to https://A.com/path/to/page.html, which redirects to http://www.A.com/path/to/page.html by the server. At this point, the path part ("/path/to/page.html") is leaked to the MITM. MITM can further hijack this plaintext http request, and redirect the victim to a phishing site, as long as the phishing site is a HTTPS site. I tried tens of domains hoping to find one that satisfy all 5 conditions, but didn't find any. The closest one is https://www.harvard.edu, which satisfies 1-4. I decided to report this issue anyway, as I think such configuration may exist in the real world. To reproduce: 1. In HOSTS file, map www.harvard.edu to 52.87.36.185, which is the IP for harvard.edu 2. Launch Fiddler, and set up an autoresponder rule: If "EXACT:http://www.harvard.edu/media-relations/photos-and-multimedia/videos", then "*redir:https://www.example.com" 3. Launch Chrome. Navigate to https://www.harvard.edu/media-relations/photos-and-multimedia/videos. 4. In Fiddler you can see that there is a HEAD request which leaks the path part of the URL, and that the final landing page is https://www.example.com. A screenshot is attached. This is a bad example though because https://www.harvard.edu/media-relations/photos-and-multimedia/videos itself redirects to http, making this attack meaningless. But my point is suppose it would remain in HTTPS, other browser's users are secure, but Chrome users can be hijacked. VERSION Chrome Version: [58.0.3029.96] + [stable] (64-bit) Operating System: [Windows 10 x64 Build 15063 with security updates up to April 2017]
,
May 5 2017
Interesting, thanks for the report! The exploit scenario is indeed very narrowly scoped, but it seems worthwhile to see if we can do more here. I think the approach of refusing to follow a cross-origin redirect on the ping probably makes sense.
,
May 5 2017
Re #2: I think the argument for pinging the full URL is that a HTTPS server might end up redirecting to some other, non-secure page based on the contents of the URL it receives. Therefore pinging the stripped origin might result in a false negative. (That said, a server might well refuse a HEAD request with a HTTP/405, and that results in a false negative today). The simple approach to fixing this would be to set: url_fetcher_->SetStopOnRedirect(true); This will prevent all redirections (and data leaks) because we'll end with a 3xx response code and treat our URL fixup guess as invalid. This will create the possibility of more false-negatives (say, if the server redirects to itself by adding a trailing slash to the URL) but it would be simple. It seems like there has to be some way to do a redirect filter (e.g. for blocking redirects that result in mixed content?) but I couldn't find one on the URLFetcher.
,
May 5 2017
Severity-Low because of the very limited scope here. meacer, assigning to you :)
,
May 5 2017
(assuming that iOS is impacted too so OS-All. Please correct me if I'm wrong)
,
May 5 2017
xiaoyin.l: Thanks for the report, and elawrence: Thanks for investigating. The more complicated alternative is to dump URLFetcher altogether and send url requests and handle redirects on our own, but I don't think it's worth the effort given the low number of errors this feature fixes. SetStopOnRedirect seems sufficient to me.
,
May 5 2017
Re #6: It occurs to me that one false negative we'll introduce if we ban redirections altogether is that https://hotmail.com will stop working in Chrome. Would it be crazy to add a SetStopOnNonSecureRedirect() flag to URLFetcher?
,
May 5 2017
Thank you for investigating! Re #6, 7: An alternative way I can think of is: can we call URLFetcher recursively in the OnURLFetchComplete handler? If it is possible, we can call url_fetcher_->SetStopOnRedirect(true); and in OnURLFetchComplete, we check if the redirect destination is HTTPS. If it is HTTPS, we fetch the new URL, and this covers the hotmail.com case; if it is not HTTPS, we return error. elawrence: By the way, this issue was inspired by your Hotmail tweet you posted yesterday. Thank you for your tweet!
,
May 5 2017
> Would it be crazy to add a SetStopOnNonSecureRedirect() flag to URLFetcher? Sounds reasonable to me, but not sure what net/ will say :)
,
May 5 2017
Re #8: Recursive url fetches should also work, and we'd be able to filter by origin et.c. as well if we do that. We'll need to limit the number of hops though. However, it would be non trivial work and I'm not sure it'll be justified given the low usage of this feature. I plan to explore making this feature more effective and perhaps we can do it at that time. For now I'll simply do the SetStopOnRedirect fix.
,
May 5 2017
I noticed that we actually do check for redirects by expecting the response code to be HTTP 200 in CommonNameMismatchHandler::OnURLFetchComplete, so I'm trying to understand under which circumstances we would get a redirect without HTTP 200. Is Fiddler's autoredirect doing this in the original report?
,
May 5 2017
My understanding is that when SetStopOnRedirect is not set, the URLFetcher automatically chases redirects until a final response (non-3xx status) is received. Only at that point is our OnURLFetchComplete callback invoked, at which point (in the bad case) we've already potentially leaked URL data to a non-secure redirect Location.
,
May 5 2017
Well, yes that makes sense :)
,
May 6 2017
I have an incomplete CL here: https://codereview.chromium.org/2865753003 The test doesn't work correctly as we get responsecode == -1 for redirects, and show an interstitial. I won't be able to get to this until June, so if anyone wants to take it, feel free :)
,
Jun 21 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0b201e50b370d8269aa52aa4fddbcf323241b07f commit 0b201e50b370d8269aa52aa4fddbcf323241b07f Author: meacer <meacer@chromium.org> Date: Wed Jun 21 21:10:02 2017 Stop on redirects while checking for www mismatches SSLCommonNameMismatchHandling feature determines a suggested URL based on the SubjectAlternateNames of the certificate and then pings this URL. The suggested URL might be redirecting to an HTTP URL, leaking the path of the original HTTPS URL. This change prevents suggested URL pings from following redirects. This will prevent leaking the path of HTTPS URLs at the expense of false negatives. E.g. foo.com serves a cert for www.foo.com. www.foo.com redirects to bar.com. This won't work anymore. BUG= 718676 Review-Url: https://codereview.chromium.org/2865753003 Cr-Commit-Position: refs/heads/master@{#481299} [modify] https://crrev.com/0b201e50b370d8269aa52aa4fddbcf323241b07f/chrome/browser/ssl/common_name_mismatch_handler.cc [modify] https://crrev.com/0b201e50b370d8269aa52aa4fddbcf323241b07f/chrome/browser/ssl/ssl_browser_tests.cc
,
Jun 21 2017
Bit late, but should be fixed now.
,
Jun 22 2017
,
Aug 7 2017
Will this bug get a CVE?
,
Aug 7 2017
+awhalley for the CVE question. It might make sense to outline the criteria in https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md, as this topic comes up semi-regularly.
,
Aug 7 2017
Yep, this will get a CVE - we issue them when the fix is included in a stable release. For M61 that'll be early September.
,
Aug 7 2017
Thank you! Also, does this issue qualify for a bug bounty?
,
Aug 7 2017
Re: #21 - Adding reward-topanel for consideration. The scope of the attack is so limited that it was rated Severity Low and as such likely will be below the bar.
,
Aug 14 2017
I'm afraid the VRP panel declined to award, but many thanks for the report!
,
Aug 14 2017
I see. Thank you for the fix!
,
Aug 16 2017
,
Sep 5 2017
,
Sep 6 2017
,
Sep 28 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by xiaoyi...@outlook.com
, May 5 2017