New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jan 14
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: chrome-devtools://devtools/remote/ can be modified by extensions

Project Member Reported by rob@robwu.nl, Dec 23 2017

Issue description

Chrome version: 63.0.3239.108

VULNERABILITY DETAILS
chrome-devtools://devtools/remote/ loads a remote site (https://chrome-devtools-frontend.appspot.com/) and grants privileged APIs to this page.
Chrome extensions can intercept and modify these requests and consequently read arbitrary data from local files and websites.

VERSION
Chrome Version: 63.0.3239.108 (stable), 65.0.3303.0 (canary)

REPRODUCTION CASE
Load the attached extension (e.g. via the "Load unpacked extension..." button that shows up after enabling Developer Mode at chrome://extensions ).

The extension will open chrome-devtools://remote/x.html, redirect the request via the webRequest extension API and use the privileges to show the contents of a local file.
 
devtools-remote-intercept.zip
1.3 KB Download

Comment 1 by rob@robwu.nl, Dec 25 2017

Status: Untriaged (was: Unconfirmed)
Summary: Security: chrome-devtools://devtools/remote/ can be modified by extensions (was: Security: chrome-devtools://devtools/remote/ can be imodified by extensions)
This bug also applies to chrome://devtools/custom/ (which resolves to a remote resource when Chrome is started with --custom-devtools-frontend=<URL HERE>).

The call sites are:
DevToolsDataSource::StartRemoteDataRequest
DevToolsDataSource::StartCustomDataRequest

Comment 2 by rob@robwu.nl, Dec 26 2017

Cc: rdevlin....@chromium.org dgozman@chromium.org
Owner: rob@robwu.nl
Status: Started (was: Untriaged)
Patch: https://chromium-review.googlesource.com/c/chromium/src/+/844316

+cc reviewers

Comment 3 by rsesek@chromium.org, Dec 28 2017

Labels: M-64 Security_Severity-Medium Security_Impact-Stable Pri-1
Project Member

Comment 4 by bugdroid1@chromium.org, Jan 10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2649de11c562aa96d336c06136a1a20c01711be0

commit 2649de11c562aa96d336c06136a1a20c01711be0
Author: Rob Wu <rob@robwu.nl>
Date: Wed Jan 10 00:32:10 2018

Hide DevTools frontend from webRequest API

Prevent extensions from observing requests for remote DevTools frontends
and add regression tests.

And update ExtensionTestApi to support initializing the embedded test
server and port from SetUpCommandLine (before SetUpOnMainThread).

BUG= 797497 , 797500 
TEST=browser_test --gtest_filter=DevToolsFrontendInWebRequestApiTest.HiddenRequests

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: Ic8f44b5771f2d5796f8c3de128f0a7ab88a77735
Reviewed-on: https://chromium-review.googlesource.com/844316
Commit-Queue: Rob Wu <rob@robwu.nl>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#528187}
[modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/extensions/api/chrome_extensions_api_client.cc
[modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/extensions/api/chrome_extensions_api_client.h
[modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/extensions/api/web_request/web_request_apitest.cc
[modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/extensions/extension_apitest.cc
[modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/browser/ui/webui/devtools_ui.h
[add] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/test/data/extensions/api_test/webrequest/devtoolsfrontend/fakedevtools.html
[add] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/test/data/extensions/api_test/webrequest/devtoolsfrontend/fakedevtools.js
[add] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/test/data/extensions/api_test/webrequest/test_devtools.html
[add] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/chrome/test/data/extensions/api_test/webrequest/test_devtools.js
[modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/extensions/browser/api/extensions_api_client.cc
[modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/extensions/browser/api/extensions_api_client.h
[modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/extensions/browser/api/web_request/web_request_permissions.cc
[modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/extensions/browser/api/web_request/web_request_permissions_unittest.cc
[modify] https://crrev.com/2649de11c562aa96d336c06136a1a20c01711be0/testing/buildbot/filters/mojo.fyi.network_browser_tests.filter

Comment 5 by rob@robwu.nl, Jan 14

Labels: Merge-Request-64
Status: Verified (was: Started)
Verified fixed in 65.0.3322.0 using the STR from the report.

Requesting merge of 2649de11c562aa96d336c06136a1a20c01711be0 to M-64.
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 14

Labels: -Merge-Request-64 Hotlist-Merge-Review Merge-Review-64
This bug requires manual review: We are only 8 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, Jan 14

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Recommendation is to wait until M65. Awhalley@ - thoughts?
I recommend against waiting, and merge this with 64. My patch is straightforward and does not only fix this bug, but also  bug 797497 .

The consequences of this bug are severe: an extension can easily abuse these vulnerabilities to run arbitrary code in privileged pages of the attacker's choice.
In  bug 798222  , I showed how this bug can be used to launch external programs outside of Chrome.
Cc: awhalley@chromium.org
And, of course, since Rob landed the fix, the bug is now all-but-disclosed.

I'd second a vote for merging (but will gladly defer to awhalley@).
Labels: -Security_Severity-Medium Security_Severity-High
Given the assessment in #10 I'm increasing the severity to High. This will miss this week's M64 beta, but it's just made it into Dev. rdevlin.cronin@, what's your assessment of the regression risk of this change?
From an extensions perspective, I think the risk is pretty low.
Cc: abdulsyed@chromium.org
abdulsyed@ - good for 64
As a follow up to the fix, should extensions be able to open chrome-devtools: URLs? An outright ban would break legitimate extensions that open devtools, but is there anything else we can do?
@#15
chrome-devtools: without target have no legitimate purpose because disconnected DevTools do not serve any user needs.
The only legitimate purpose for opening chrome-devtools: that I can think of is to engage in a remote debugging session (i.e. when the ws parameter is present).
But this use case can already be catered for by using the remote frontend URL directly.

So if you have little confidence in the ability to keep chrome-devtools: safe, then a way to reduce the impact is to rewrite chrome-devtools:-URLs to the remote frontend URL. Remote debugging should still work in this way, while extensions cannot exploit URL-based vulnerabilities of the chrome-devtools:-scheme.

If you are an advocate of this approach, I suggest to create a new bug and talk with Devlin and the DevTools team. And just in case, also search through the source code of all extensions in the Chrome Web Store to see if there are any extensions that use "chrome-devtools:".
My question was directed to everyone in this bug, including CC'ed folks. I wanted to get a first opinion before filing a separate bug.

I did indeed a search for extensions containing chrome-devtools before commenting. There are such extensions, but many of the usages come from code that is shared between extensions implying some sort of common library. I didn't dig deeper than that.
@abdulsyed - ping on the merge?

(@meacer - haven't had a chance to dive into that yet, but I haven't forgotten. :))
Labels: -Merge-Review-64 Merge-Approved-64
approving merge for M64 based on #12,#13,#14. Branch:3282
The patch had one non-trivial merge conflict due to 019b53cca7c5fbd33fe122ef6c572134b8fe7949.
To resolve this conflict, I omitted the "request.type != content::RESOURCE_TYPE_MAIN_FRAME" check in WebRequestPermissions::HideRequest. This does not change the behavior of Chrome on the release branch, and does not impact the intended functionality of my patch. These expectations are covered by the DevToolsFrontendInWebRequestApiTest.HiddenRequests test.

I verified the patch locally as follows (on the 63 branch; I assume that it also works on 64):
- Manually: Compile chrome, load the extension from the report and confirm that the extension was not able to modify the chrome-devtools:-page (404 not found will be shown, served by the remote server).
- Automatically: Compile browser_tests, and run:
  browser_test --gtest_filter=DevToolsFrontendInWebRequestApiTest.HiddenRequests
Project Member

Comment 21 by bugdroid1@chromium.org, Jan 19

Labels: -merge-approved-64 merge-merged-3282
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4ac53f6cc73b9d697a286b197228fa2049136afc

commit 4ac53f6cc73b9d697a286b197228fa2049136afc
Author: Rob Wu <rob@robwu.nl>
Date: Fri Jan 19 11:43:03 2018

Hide DevTools frontend from webRequest API

Prevent extensions from observing requests for remote DevTools frontends
and add regression tests.

And update ExtensionTestApi to support initializing the embedded test
server and port from SetUpCommandLine (before SetUpOnMainThread).

BUG= 797497 , 797500 
TEST=browser_test --gtest_filter=DevToolsFrontendInWebRequestApiTest.HiddenRequests
TBR=rob@robwu.nl

(cherry picked from commit 2649de11c562aa96d336c06136a1a20c01711be0)

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: Ic8f44b5771f2d5796f8c3de128f0a7ab88a77735
Reviewed-on: https://chromium-review.googlesource.com/844316
Commit-Queue: Rob Wu <rob@robwu.nl>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#528187}
Reviewed-on: https://chromium-review.googlesource.com/875984
Reviewed-by: Rob Wu <rob@robwu.nl>
Cr-Commit-Position: refs/branch-heads/3282@{#546}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
[modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/extensions/api/chrome_extensions_api_client.cc
[modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/extensions/api/chrome_extensions_api_client.h
[modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/extensions/api/web_request/web_request_apitest.cc
[modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/extensions/extension_apitest.cc
[modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/browser/ui/webui/devtools_ui.h
[add] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/test/data/extensions/api_test/webrequest/devtoolsfrontend/fakedevtools.html
[add] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/test/data/extensions/api_test/webrequest/devtoolsfrontend/fakedevtools.js
[add] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/test/data/extensions/api_test/webrequest/test_devtools.html
[add] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/chrome/test/data/extensions/api_test/webrequest/test_devtools.js
[modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/extensions/browser/api/extensions_api_client.cc
[modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/extensions/browser/api/extensions_api_client.h
[modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/extensions/browser/api/web_request/web_request_permissions.cc
[modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/extensions/browser/api/web_request/web_request_permissions_unittest.cc
[modify] https://crrev.com/4ac53f6cc73b9d697a286b197228fa2049136afc/testing/buildbot/filters/mojo.fyi.network_browser_tests.filter

Labels: -Security_Severity-High Security_Severity-Medium
I was a little exuberant in #12, returning to Medium severity after consultation.
Labels: -reward-topanel reward-unpaid reward-2500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
And $2,500 for this report - thanks!
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M64
Labels: CVE-2018-6035
Project Member

Comment 28 by sheriffbot@chromium.org, Mar 27

Labels: -M-64 M-65
Project Member

Comment 29 by sheriffbot@chromium.org, Apr 22

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-missing

Sign in to add a comment