New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 14
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: heap-use-after-free in WebUIExtension::Send (chrome.send)

Project Member Reported by rob@robwu.nl, Dec 24 2017

Issue description

VULNERABILITY DETAILS
The chrome.send API in webUI converts a v8::Object to a base::ListValue at [1].
After the conversion, a previously retrieved content::RenderFrame* pointer is dereferenced at [2].
The conversion can trigger arbitrary JS code via getters, so if the caller invokes the code from a frame and removes the frame in the getter, a use-after-free occurs.

Combined with  bug 797497 , this is sufficient to trigger UAF with limited user interaction.
Without that bug, the impact is greatly reduced because most webui pages have "X-Frame-Options: DENY" and a CSP with "frame-src: 'none'" (so it is hard to get a frame that has access to chrome.send - the only page is chrome://print ).

VERSION
Chrome Version: 63.0.3239.108 (stable), 65.0.3303.0 (canary)

REPRODUCTION CASE
1. Load the attached extension (e.g. via chrome://extensions, enable Developer Mode, "Load unpacked extension").
2. Open the developer tools, click on the Performance tab.
   (alternatively: Click on the Network tab and trigger any network activity in the current tab).

The above reproduction steps are reasonable, many web developers would satisfy the two conditions:
- Install Chrome extension.
- Open devtools and look at the network tab.

Step 2 works because of  bug 797497 .
If that bug is fixed, a lot of unreasonable user interaction is required to reproduce:
1. Visit chrome://print
2. Open script.js from the attached zip file with a text editor, copy the triggerUAF function's content and execute it.

I have attached a stack trace of Chromium 63.0.3239.84 with ASAN (basically a UAF at [2]).
Even more details about the UAF are in script.js inside the zip file.

[1] https://chromium.googlesource.com/chromium/src/+/d37a9f10c7e32ff40e864a2ff30478fc8a0a1169/content/renderer/web_ui_extension.cc#120
[2] https://chromium.googlesource.com/chromium/src/+/d37a9f10c7e32ff40e864a2ff30478fc8a0a1169/content/renderer/web_ui_extension.cc#126
 
webui-send-uaf.zip
2.1 KB Download
asan-chrome.send-63.0.3239.84.log
18.2 KB View Download

Comment 1 by rob@robwu.nl, Dec 24 2017

Cc: haraken@chromium.org
Owner: rob@robwu.nl
Status: Started (was: Unconfirmed)
Patch: https://chromium-review.googlesource.com/c/chromium/src/+/844076

Verified with test:
1. Compile Chromium with the patch.
2. Follow the STR from the report and confirm that the renderer does not cause a crash by invalid memory access (the test will will still cause a renderer crash on debug builds, because NOTREACHED on debug build induces a crash).
3. (Test that chrome.send still functions as expected) Call chrome.send('whatever', []);
   This line triggers the code path (because of the array argument) and will be sent to the browser process, where it should trigger a NOTREACHED:
Check failed: false. Unhandled chrome.send("whatever")

This last line signals that the renderer did not crash and managed to pass the message to the browser, so the bug has been fixed.

Comment 2 by wfh@chromium.org, Dec 25 2017

Labels: Security_Severity-High Security_Impact-Stable
Project Member

Comment 3 by sheriffbot@chromium.org, Dec 26 2017

Labels: M-63
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 26 2017

Labels: Pri-1
Project Member

Comment 5 by bugdroid1@chromium.org, Dec 26 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/90585e657db48f93bd73bc45d4caa975323da41b

commit 90585e657db48f93bd73bc45d4caa975323da41b
Author: Rob Wu <rob@robwu.nl>
Date: Tue Dec 26 18:28:23 2017

Validate frame after conversion in chrome.send

BUG= 797511 
TEST=Manually, see  https://crbug.com/797511#c1 

Change-Id: Ib1a99db4d7648fb1325eb6d7af4ef111d6dda4cb
Reviewed-on: https://chromium-review.googlesource.com/844076
Commit-Queue: Rob Wu <rob@robwu.nl>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#526197}
[modify] https://crrev.com/90585e657db48f93bd73bc45d4caa975323da41b/content/renderer/web_ui_extension.cc

Comment 6 by rob@robwu.nl, Jan 14

Labels: Merge-Request-64
Status: Verified (was: Started)
Verified fixed in Chromium 65.0.3322.0. To rule out other patches that might have patched part of the exploit chain, I am testing the specific vulnerability with the following steps:

1. Visit chrome://print
2. Run the following from the DevTools console, and confirm that the renderer does not crash (UAF).
        var f = document.createElement('iframe');
        f.src = location.href; // Some chrome:-URL with webui bindings.
        f.onload = function() {
            var arr = ['about:blank', '', 0, true, false, false, false];
            arr.__defineGetter__('1', function() {
                f.remove();
                return '';
            });
            f.contentWindow.chrome.send('navigateToUrl', arr);
        };
        document.documentElement.appendChild(f);

Requesting to merge of 90585e657db48f93bd73bc45d4caa975323da41b to M-64 to fix the UAF.
Project Member

Comment 7 by sheriffbot@chromium.org, Jan 14

Labels: -Merge-Request-64 Hotlist-Merge-Review Merge-Review-64
This bug requires manual review: We are only 8 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by sheriffbot@chromium.org, Jan 14

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Cc: abdulsyed@chromium.org
abdulsyed@ - good for 64
Labels: -Merge-Review-64 Merge-Approved-64
Approving merge for M64. Branch:3282
Labels: -Security_Severity-High Security_Severity-Low
given the user interaction I think this should have been triaged as Low.
#12 The user interaction is just for manual verification.
With just the ability to execute code in a web UI page, this vulnerability can be exploited automatically.

I have reported multiple vulnerabilities last month to satisfy this precondition. Do you want to see a proof of concept to raise the rating again?
E.g. bug 798184
Cc: wfh@chromium.org
@#12 User interaction is not a requirement. Here is a PoC that shows how one can automatically exploit this vulnerability (using gadgets from  bug 797497  and  bug797500 ).

To reproduce (e.g. in Chrome 63.0.3239.108):
1. Load the attached extension (e.g. via chrome://extensions, enable Developer Mode, "Load unpacked extension").

Result: UAF.
webui-send-uaf-v2.zip
3.2 KB Download
Project Member

Comment 15 by bugdroid1@chromium.org, Jan 18

Labels: -merge-approved-64 merge-merged-3282
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b51e548897bc30cd97d15048d4e32058a73323d2

commit b51e548897bc30cd97d15048d4e32058a73323d2
Author: Rob Wu <rob@robwu.nl>
Date: Thu Jan 18 21:37:27 2018

Validate frame after conversion in chrome.send

BUG= 797511 
TEST=Manually, see  https://crbug.com/797511#c1 
TBR=rob@robwu.nl

(cherry picked from commit 90585e657db48f93bd73bc45d4caa975323da41b)

Change-Id: Ib1a99db4d7648fb1325eb6d7af4ef111d6dda4cb
Reviewed-on: https://chromium-review.googlesource.com/844076
Commit-Queue: Rob Wu <rob@robwu.nl>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#526197}
Reviewed-on: https://chromium-review.googlesource.com/874471
Reviewed-by: Rob Wu <rob@robwu.nl>
Cr-Commit-Position: refs/branch-heads/3282@{#541}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
[modify] https://crrev.com/b51e548897bc30cd97d15048d4e32058a73323d2/content/renderer/web_ui_extension.cc

Labels: -M-63 M-64
Labels: -reward-topanel reward-0
I'm afraid the VRP panel declined to reward for this bug, but will be considering it along with  issue 797497 .
Labels: Release-0-M64
Labels: CVE-2018-6054
Project Member

Comment 20 by sheriffbot@chromium.org, Mar 27

Labels: -M-64 M-65
Project Member

Comment 21 by sheriffbot@chromium.org, Apr 22

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-missing

Sign in to add a comment