Issue metadata
Sign in to add a comment
|
Security: Proxy.PAC / WPAD rendering issue with new Chrome versions can help an attacker to bypass security restrictions in an organization
Reported by
assaf.g...@gmail.com,
Jun 25 2017
|
||||||||||||||||||||||||
Issue description
The following is an explanation about a newly discovered bug in the latest chrome windows version 59.0.3071.109 (Official Build), this bug, if used wisely, can provide an attack vector for circumventing organizational security mechanism that is based on the proxy automatic configuration file, WPAD or the proxy.pac.
VULNERABILITY DETAILS
WPAD / Proxy.pac are based on a set of instructions that tells the browser which proxy it should use, these instruction relays on the browser to interpreted them correctly.
The following is the scenario where Chrome fails to process proxy.pac instructions
- When a PC has more then one interface, and each interface has at least one IPv4 address
- When Chrome processes the functions 'isInNet' together with 'myIPAddress' it is not using the correct IP address - The IP address on the interface that the request will be sent from. Instead, it is using one of the other interfaces IP addresses.
- As a result, the instructions intended to be processes by the browser leads to unexpected results. i.e, The request is processed using the wrong IP address and depending on the WPAD/Proxy.pac instructions, can 'bypass' the intended proxy.
VERSION
Chrome Version: 59.0.3071.109 Official Build
Operating System: Windows 8.1 fully updated.
Confirmed on multiple OSs.
REPRODUCTION CASE
Windows PC with two or more interfaces,
Interface #1 with IP address: 132.77.134.28 (Physical interface, only default route in set on the machine through this interface)
Interface #2 with IP address: 192.168.56.1 (virtual interface, used for Host-Only VirtualBox communication)
Proxy.pac file content:
function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "132.77.134.0", "255.255.250.0"))
return "PROXY 1.1.1.1:8080";
if (isInNet(myIpAddress(), "192.168.0.0", "255.255.0.0"))
return "PROXY 2.2.2.2:8080";
}
- Results:
IE will use proxy 1.1.1.1
Firefox will use proxy 1.1.1.1
Chrome is using proxy 2.2.2.2
Best Regards,
Assaf Glik, Information Security
Weizmann Institute of Science
+972-54-2102251
,
Jun 26 2017
,
Jun 26 2017
We don't even know what interface a request will go over until after we run the PAC script. Seems like the issue here is more with picking the best address to return from myIpAddress, rather than with multi-network support (Where PAC is fundamentally broken). Seems like a duplicate of issue 735637 . eroman: Thoughts?
,
Jun 26 2017
Yes, I would say this is a duplicate of 735637. As far as the security/privacy implications: PAC implementations across browsers are fail-open, so I wouldn't categorize this as a security bug. Or worded differently, relying on PAC scripts as a privacy/security feature is already problematic, since failure to fetch the script will fallback to DIRECT. This bug details an even narrower situations of picking the wrong proxy based on the user's setup. For completeness, Chrome does have a mandatory mode for PAC but that only applies to configurations set via extensions.
,
Jun 26 2017
,
Nov 23
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Jun 26 2017Components: Internals>Network>Proxy
Labels: Security_Severity-Low Security_Impact-Stable OS-Windows
Owner: eroman@chromium.org
Status: Assigned (was: Unconfirmed)