Patch: https://chromium-review.googlesource.com/c/chromium/src/+/844075

+cc bauerb for review.

Nice find, thanks! 

Is there any reason why the CSP cannot be tightened for all interstitials?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a296eff269063ef8daa7cdacf4483d3993214a1b

commit a296eff269063ef8daa7cdacf4483d3993214a1b
Author: Rob Wu <rob@robwu.nl>
Date: Sun Dec 24 15:37:52 2017

Fix XSS in supervised user interstitial

BUG= 797525 

Change-Id: Ib5cfa732b0f4de8645031c0166e4d67633a65c93
Reviewed-on: https://chromium-review.googlesource.com/844075
Reviewed-by: Bernhard Bauer <bauerb@chromium.org>
Commit-Queue: Rob Wu <rob@robwu.nl>
Cr-Commit-Position: refs/heads/master@{#526158}
[modify] https://crrev.com/a296eff269063ef8daa7cdacf4483d3993214a1b/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js

Labeling as medium-severity because this would require the user to install an extension to exploit.

Verified fixed in 65.0.3322.0 using the STR from the report.

Requesting merge of a296eff269063ef8daa7cdacf4483d3993214a1b to M-64.

This bug requires manual review: We are only 8 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

awhalley@ I don't think we have to take this into M64 at this point but letting you make that call :)

awhalley@ also agrees that we can wait to ship this fix in M65. 

> The impact of this vulnerability is access to any privileged webui API that is exposed to the page, as well as the ability to navigate to any other restricted URL ( such as chrome://quit ).

As far as I can tell chrome://interstitials pages don't have access to privileged APIs. Can you please give an example?

> The impact of this vulnerability is access to any privileged webui API that is exposed to the page,
> as well as the ability to navigate to any other restricted URL ( such as chrome://quit ).

As far as I can tell chrome://interstitials pages don't have access to privileged APIs. Can you please give an example?

This XSS impacts two pages, chrome://interstitials (easy to exploit, see PoC) and the actual supervised user error interstitial (I haven't checked the list of available APIs here because the demonstrated issue in chrome://interstitials itself seems enough).
All WebUI pages (including chrome://intersititals) have access to the default webUI APIs from GenericHandler: https://chromium.googlesource.com/chromium/src/+/c9c27c4338cb1b8ad21a168d905cc4c964e857fb/content/browser/webui/generic_handler.cc#23

You can easily test this with the following snippet (crashes the tab, chrome://kill can normally not be opened by regular pages or extensions - see content::IsRendererDebugURL ):
chrome.send('navigateToUrl', ['chrome://kill', '', 0, false, false, false, false]);

Though webUI pages can seemingly already navigate to such URLs with standard JS APIs such as `location = ...` (as shown by my exploit).

Thanks, so navigateToUrl is the only additional API that an XSS will have access to.

I'm not entirely sure that's a security sensitive API though. Best it can do is DoS the browser by navigating to special URLs. Note that an extension can already emulate the behavior of chrome://kill by closing all tabs ( bug 180066 ). Beyond that, an extension doesn't seem to gain much by XSSing these interstitials.

@#14

chrome://quit's code path is very different from closing Chrome by closing all tabs using extension APIs.
chrome://restart allows extensions to restart Chrome (something that extensions cannot do (see ExtensionTabUtil::IsKillURL ).

I mainly view this vulnerability as a gadget to build automatic exploits for vulnerabilities surrounding the startup/shutdown logic of Chrome.
E.g. in the past I reported a UAF upon shutdown ( bug 518749 ), and in search for a gadget for a fast shutdown, I found and reported  bug 518827 .

Now I don't have a new shutdown/startup vulnerability in mind this time, but I think that it's in the best interest of everyone to already report this vulnerability without waiting for more vulnerabilities to build a full exploit chain.

Merge rejected, so I'm changing the milestone label to 65.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

The VRP Panel decided to award $1,000 for this report ($500 for the issue and $500 for the patch), as it wasn't clear what privileged webui APIs are actually accessible. They were willing to re-evaluate if you can show what additional privileges an attacker can achieve in this case.

Supervised interstitials are not available from the web, there is an extension installation requirement, and the XSS gives limited privileges to the extension (navigating to chrome:// URLs). Given these, downgrading severity to low per severity guidelines, as this bug doesn't seem to meet medium severity criteria [1]. As awhalley@ said, happy to reevaluate in light of new information (which I think is quite probable).

[1] https://chromium.googlesource.com/chromium/src/+/master/docs/security/severity-guidelines.md

(And to be clear, I don't think this should decrease the reward amount)

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot