Security: Extension can run code in the chrome-devtools://devtools (e.g. to read local files) |
||||||||||||||||||||
Issue descriptionChrome version: 63.0.3239.108 The devtools may load remote sources via [1] (e.g. product_registry_impl [2]). Chrome Extensions are able to intercept these requests and replace the content with arbitrary data, and thus run arbitrary JavaScript code at chrome-devtools://devtools. Arbitrary network resources and local files can be read in this way, and if there is a debuggable Node.js app, then this vulnerability can also be used to launch arbitrary processes. The product_registry_impl module is only loaded in some devtools tabs (e.g. the Performance and the Network). The attached proof of concept opens the devtools with the Performance tab enabled and works on Chrome 63 and 64 (In Chrome 65 it is not fully automated because of 484f731aaead5d72c26a21ea012cd2a706146f19 - you have to open the performance tab of the devtools yourself). Steps to reproduce: 1. Load the attached proof-of-concept extension (e.g. as an unpacked extension via chrome://extensions). 2. [Chrome 65+] Manually open the devtools and switch to the Performance tab. Expected result: - Nothing particular should happen in the devtools. Actual result: - The extension intercepts a script request, reads a local file via the devtools bindings and displays the results in a dialog in the Chrome extension. Although not shown in the PoC, the vulnerability can silently be exploited without any further user interaction by forcing the Performance tab to be displayed initially: Common.settings.createSetting('panel-selectedTab').set('timeline'); I have not investigated other modules declared "remote" [2], these might also provide entry points for exploitation. I think that the best way to fix this bug is to hide script requests originating from the devtools from extensions. [1] https://chromium.googlesource.com/chromium/src/+/525e4537ba0e2f4e3331a38fb35b646a4bae3b51/third_party/WebKit/Source/devtools/front_end/Runtime.js#133 [2] https://chromium.googlesource.com/chromium/src/+/525e4537ba0e2f4e3331a38fb35b646a4bae3b51/third_party/WebKit/Source/devtools/front_end/inspector.json#25
,
Dec 25 2017
I would expect chrome-devtools://devtools/bundled/ to only serve *bundled* resources. The fact that this does not happen surprises me. Why can't these modules be bundled with the devtools? The current implementation has several issues: - Usability: a bad internet connectivity results in decreased functionality. - Security: A MITM attacker can perform privilege escalation (in this bug, the MITM attacker is an extension, but a network attacker is also a possibility). - Usability in Chromium: The remote devtools is based on the git revision of the build. Custom builds of Chromium have different hashes, so the remote resources are 404. An example of an existing remote resource (Chromium 62.0.3202.94) is: https://chrome-devtools-frontend.appspot.com/serve_file/@4fd852a98d66564c88736c017b0a0b0478e885ad/product_registry_impl/product_registry_impl_module.js Since the revision is included in the URL, and unknown revisions return a 404, I presume that the content is static and known with the build. So if there is really a good reason for hosting the content remotely, then at the very least add an integrity check, e.g. by replacing the current XMLHttpRequest + self.eval implementation with a <script> tag and SRI (Subresource Integrity). Remote devtools resources were introduced as an experiment in abf8b4a22fcbadff57034b1e7e601fbe464c8aca (bug 459167), and promoted to a non-experiment in b9b50923d7ea3bd02ce35ee5d9069adb5fbb1234. I cannot view bug 459167, so I am cc-ing the patch authors to see whether it is feasible to: - disable remote resources (bundle them0) for devtools instantiated at chrome-devtools://devtools/bundled/ - (or if the previous is not possible) add integrity checks for remote scripts.
,
Dec 25 2017
So to summarize the impact: After a user installs a malicious extension (with very limited permissions), the attacker has arbitrary access to all network resources and local files without further user interaction. Additionally, if the user opens the devtools, then the attacker can escalate to webui privileges (i.e. chrome:// pages, e.g. changing proxy settings, changing trust bits of certificates, extracting saved passwords and anything that Chrome can do). A PoC of exploiting a vulnerability in an arbitrary webui page is shown in bug 797511 . With only two user interactions (installing the malicious extension, opening the devtools), the attacker has persistent access to any local/network resource AND webUI privileges, because the malicious extension can navigate to chrome://flags and flip the --extensions-on-chrome-urls.
,
Dec 26 2017
Patch: https://chromium-review.googlesource.com/c/chromium/src/+/844316 The patch was meant to solve bug 797500 (restricting extension access to chrome-devtools://remote/), but it also breaks the security exploit of this bug report since the DevTools do not directly load the resource through a https:-URL, but through the chrome-devtools://devtools/remote-URL [1] (the remoteBase parameter is derived from " chrome-devtools://devtools/bundled/inspector.html?remoteBase=https://chrome-devtools-frontend.appspot.com/serve_file/@3cda3761ecf33e0dbfceee709a730b955b73031f/ " ). Although the immediate security issue has been mitigated, I recommend to consider my suggestions in comment #2 before closing the bug. [1] https://chromium.googlesource.com/chromium/src/+/d786d7cb2fa94b01959808a18ea3b01ccaf693c1/third_party/WebKit/Source/devtools/front_end/Runtime.js#1058
,
Dec 28 2017
,
Jan 1 2018
I have improved the exploit to not require any user interaction to abuse this vulnerability (besides installing a malicious extension). See bug 798222 for a PoC.
,
Jan 10 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2649de11c562aa96d336c06136a1a20c01711be0 commit 2649de11c562aa96d336c06136a1a20c01711be0 Author: Rob Wu <rob@robwu.nl> Date: Wed Jan 10 00:32:10 2018 Hide DevTools frontend from webRequest API Prevent extensions from observing requests for remote DevTools frontends and add regression tests. And update ExtensionTestApi to support initializing the embedded test server and port from SetUpCommandLine (before SetUpOnMainThread). BUG= 797497 , 797500 TEST=browser_test --gtest_filter=DevToolsFrontendInWebRequestApiTest.HiddenRequests Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Ic8f44b5771f2d5796f8c3de128f0a7ab88a77735 Reviewed-on: https://chromium-review.googlesource.com/844316 Commit-Queue: Rob Wu <rob@robwu.nl> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Cr-Commit-Position: refs/heads/master@{#528187} [modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/extensions/api/chrome_extensions_api_client.cc [modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/extensions/api/chrome_extensions_api_client.h [modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/extensions/api/web_request/web_request_apitest.cc [modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/extensions/extension_apitest.cc [modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/ui/webui/devtools_ui.cc [modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/ui/webui/devtools_ui.h [add] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/test/data/extensions/api_test/webrequest/devtoolsfrontend/fakedevtools.html [add] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/test/data/extensions/api_test/webrequest/devtoolsfrontend/fakedevtools.js [add] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/test/data/extensions/api_test/webrequest/test_devtools.html [add] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/test/data/extensions/api_test/webrequest/test_devtools.js [modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/extensions/browser/api/extensions_api_client.cc [modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/extensions/browser/api/extensions_api_client.h [modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/extensions/browser/api/web_request/web_request_permissions.cc [modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/extensions/browser/api/web_request/web_request_permissions_unittest.cc [modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/testing/buildbot/filters/mojo.fyi.network_browser_tests.filter
,
Jan 16 2018
Remote modules are very important for DevTools, and we are not going to get rid of them. They save a lot of space in Chromium binary while allowing us to experiment and/or deliver many features no matter what the size impact they have. Since we presumably fixed the "intercepted by extensions" usecase (thanks Rob Wu!), remote modules should be safe now. We are loading them through https from a page with pinned (known in advance) certificate. Do you think that's susceptible to MITM attacks?
,
Jan 17 2018
#8 All right. Then I'm marking this bug as fixed since the immediate security issue has been addressed, and you have confidence in the abilities of Chrome to not fall victim again to MITM of remote DevTools resources. > We are loading them through https from a page with pinned (known in advance) certificate. Do you think that's susceptible to MITM attacks? Are you referring to HPKP? Google/Chrome is moving away from HPKP (and the affected domain is not using HPKP in the first place), so certificate pinning cannot be relied upon. If your threat model includes an attacker with network MITM abilities, then the remote DevTools module system is insecure (at the very least you need to include a hash for every externally hosted static file). If you assume that the PKI is secure (and trust content from chrome-devtools-frontend.appspot.com), then no further action is required.
,
Jan 17 2018
,
Jan 17 2018
,
Jan 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4ac53f6cc73b9d697a286b197228fa2049136afc commit 4ac53f6cc73b9d697a286b197228fa2049136afc Author: Rob Wu <rob@robwu.nl> Date: Fri Jan 19 11:43:03 2018 Hide DevTools frontend from webRequest API Prevent extensions from observing requests for remote DevTools frontends and add regression tests. And update ExtensionTestApi to support initializing the embedded test server and port from SetUpCommandLine (before SetUpOnMainThread). BUG= 797497 , 797500 TEST=browser_test --gtest_filter=DevToolsFrontendInWebRequestApiTest.HiddenRequests TBR=rob@robwu.nl (cherry picked from commit 2649de11c562aa96d336c06136a1a20c01711be0) Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Ic8f44b5771f2d5796f8c3de128f0a7ab88a77735 Reviewed-on: https://chromium-review.googlesource.com/844316 Commit-Queue: Rob Wu <rob@robwu.nl> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#528187} Reviewed-on: https://chromium-review.googlesource.com/875984 Reviewed-by: Rob Wu <rob@robwu.nl> Cr-Commit-Position: refs/branch-heads/3282@{#546} Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840} [modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/extensions/api/chrome_extensions_api_client.cc [modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/extensions/api/chrome_extensions_api_client.h [modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/extensions/api/web_request/web_request_apitest.cc [modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/extensions/extension_apitest.cc [modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/ui/webui/devtools_ui.cc [modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/ui/webui/devtools_ui.h [add] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/test/data/extensions/api_test/webrequest/devtoolsfrontend/fakedevtools.html [add] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/test/data/extensions/api_test/webrequest/devtoolsfrontend/fakedevtools.js [add] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/test/data/extensions/api_test/webrequest/test_devtools.html [add] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/test/data/extensions/api_test/webrequest/test_devtools.js [modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/extensions/browser/api/extensions_api_client.cc [modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/extensions/browser/api/extensions_api_client.h [modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/extensions/browser/api/web_request/web_request_permissions.cc [modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/extensions/browser/api/web_request/web_request_permissions_unittest.cc [modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/testing/buildbot/filters/mojo.fyi.network_browser_tests.filter
,
Jan 22 2018
,
Jan 24 2018
,
Feb 5 2018
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Feb 6 2018
And $2,500 for this one - thanks as ever!
,
Feb 6 2018
,
Mar 27 2018
,
Apr 25 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
,
Oct 5
|
||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||
Comment 1 by rob@robwu.nl
, Dec 24 2017