CSS Injection on chrome-search://most-visited/single.html (NTP)
Reported by
luan.her...@hotmail.com,
Jan 9 2018
|
||||||
Issue descriptionVULNERABILITY DETAILS By opening https://www.google.com/_/chrome/newtab?ie=UTF-8 in a new window it's possible to redirect the page to another NTP URL (which otherwise wouldn't be possible). This allows the attacker to chain it with a vulnerability on chrome-search://most-visited/single.html and exploit the javascript code located in chrome-search://most-visited/single.js if (info.tileTitleColor) { themeStyle.push('body { color: ' + info.tileTitleColor + '; }'); } document.querySelector('#custom-theme').textContent = themeStyle.join('\n'); VERSION I tested on: Version 63.0.3239.108 REPRODUCTION CASE 1. Access https://lbherrera.github.io/lab/ntp/css.html 2. Click on the link, a new window will open. 3. After a moment you should see an image injected into chrome-search://most-visited/single.html
,
Jan 9 2018
I also can't quite reproduce on Beta - I'm just seeing 8 black rectangles. That said, this was already fixed for M65 (currently on Dev channel) by https://crrev.com/03d083a, which removed the manual CSS concatenation. So closing as fixed; let me know if I missed anything. Thanks!
,
Jan 9 2018
,
Jan 9 2018
@treib, Were you able to open "chrome-search://most-visited/single.html" on a new window using the PoC? I think this probably should be fixed as well. In my tests I was only able to reproduce the PoC using .com.br/_/chrome/newtab instead of .com/_/chrome/newtab (https://lbherrera.github.io/lab/ntp/css-br.html) and I assumed it work for you on .com If I had to guess, I would say which country you are from is taken in consideration and only then the NTP is opened from the Google URL.
,
Jan 9 2018
For me (on M64 Beta, i.e. before the fix I mentioned in comment 2), the PoC did open "chrome-search://most-visited/single.html", but I did not see the image, I just got 8 black boxes. Not quite sure what to make of that. Yes, your location does play a role: If you're in a country that has a different ccTLD, then ".com/_/chrome/newtab" will not be considered an "NTP URL" by Chrome, and it'll forward you to a regular Google homepage instead. So if you're in Brazil, then it's expected that only .com.br/... would get any special treatment.
,
Jan 9 2018
I was checking and the fix you mentioned in comment 2 already landed on M64 Beta, that's why you are getting 8 black boxes. I thought the ability to open/redirect to "chrome-search://" URLs wasn't desired and that's why it was blocked, trying to open it from any website other than the NTP will get you "Not allowed to load local resource" (which the PoC shows can be bypassed by first opening the NTP and then redirecting it to a chrome-search:// URL).
,
Jan 10 2018
You're right, it should not be possible for regular web pages to redirect to "chrome-search://" URLs. That's basically bug 662782, which you probably can't see because it's also tagged as "Security" :-/ Anyway, the redirect even works if the window you open isn't an NTP; I think it's just an issue with setTimeout(). So, summarizing: There is a problem here, where setTimeout() can redirect another window to a privileged URL. That's covered in bug 662782. It's low prio since there's no known way to exploit it. The actual problem reported here, the CSS injection, has been fixed.
,
Jan 16 2018
,
Jan 22 2018
I'm afraid the VRP panel declined to reward for this report, since the main issue was already fixed (#2) and we're tracking the other in issue 662782.
,
Apr 17 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by dominickn@chromium.org
, Jan 9 2018Components: UI>Browser>NewTabPage
Labels: Security_Severity-Medium Security_Impact-Stable OS-Chrome OS-Linux OS-Mac OS-Windows Pri-1
Owner: treib@chromium.org
Status: Assigned (was: Unconfirmed)