Security: content security policy bypass by writing to loading Frame's ContentDocument
Reported by
ma7h1a...@gmail.com,
Oct 27 2017
|
||||||||||||||||||||
Issue descriptionAFFECTED PRODUCTS -------------------- chrome 62.0.3202.62 stable DESCRIPTION -------------------- online demo: http://xsser.math1as.com/csp2.html this problem occurs because of when load a http URL , the csp would lost,but as a matter of fact, the document.domain is "about:blank" until finally load it. i guess this issue is in order to prevent chrome from spoof attack, but caused new problem.
,
Oct 27 2017
so here is the patch: when load a new URL ,for example, google.com 1.deal it as about:blank first, and inhreit the topframe's CSP 2.when finally load google.com , use the new CSP
,
Oct 27 2017
Repros in Chrome 64
,
Oct 31 2017
I'm not sure what to rate the severity at. Any thoughts, mkwst or andypaicu? Medium?
,
Oct 31 2017
Re #4 similar with issue 669086 and issue 747847 bypass the following CSP default-src 'self';script-src 'unsafe-inline';
,
Oct 31 2017
I'm going with Medium, since it breaks a security boundary and enables XSS (but not UXSS directly) if the site has an XSS vulnerability but for CSP. One could possibly argue Low, if you consider the latter condition a mitigating factor, but I think XSS is common enough that I wouldn't consider it much of a mitigation.
,
Oct 31 2017
Re #6: Maybe I'm missing something, but in order for this to work, doesn't the attacker already have to have the ability to execute script (to drive the subframe)? Turning script execution into script execution doesn't seem terribly exciting.
,
Nov 10 2017
andypaicu: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 10 2017
,
Nov 25 2017
andypaicu: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 25 2018
,
Feb 18 2018
,
Mar 7 2018
,
Apr 19 2018
,
May 30 2018
,
Jul 25
,
Sep 5
,
Sep 20
I suspect this bug has been fixed in the meantime together with one of the related ones (we did fix a bunch of inheritance issues in CSP) but the original link is not available and there is no exact description of how the bypass worked Is there any chance to get the original link back up, or does anyone that commented here know enough details to help test this?
,
Sep 20
Hi , I could confirm this was fixed in august , but I lost the original POC.
,
Sep 20
Thank you, I will marked it as fixed then.
,
Sep 20
,
Sep 24
,
Sep 27
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Sep 28
Thanks for the report ma7h1as.l@ the VRP panel decided to award $1,000. Cheers!
,
Sep 28
,
Sep 28
,
Sep 28
re #24 thank you, could you please change the credit information to "Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab" for all of my bugs in the future?
,
Sep 28
I've updated our records, thanks!
,
Sep 28
,
Oct 15
could you please assign a CVE-ID for it when releases M70 chrome, thank you.
,
Dec 27
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||
Comment 1 by ma7h1a...@gmail.com
, Oct 27 201747.3 KB
47.3 KB View Download