Patch: https://chromium-review.googlesource.com/c/chromium/src/+/924702

if --remote-debugging-port is needed and this is a non-standard flag that has to be specifically used, then this has no security impact. Can you describe how an attacker could use this without --remote-debugging-port specified e.g. are there any times this gets turned on behind-the-scenes by Chrome in a non-obvious way?

Chrome does not turn --remote-debugging-port by itself.

Not sure that leaking the port is a big deal. Most people who run with --remote-debugging-port use well-known port as suggested in many examples on the web.

CSS injection is a thing, but what can one achieve with that?

The combination of referer leak + CSS injection allows attackers to reliably detect that remote debugging is enabled, without revealing that an attacker is looking for a vulnerability in the remote debugging server.

This allows attackers to connect to the remote debugging server, or (if blocked by firewall/NAT), exploit vulnerabilities like  bug 813540  and bug 813542 when they know that the client is vulnerable.

--remote-debugging-port is enabled by default by Selenium and Puppeteer, and as I have shown in  bug 813541 , Puppeteer  alone has a large user base.


Without this bug, the attacker needs to perform a port scan (by loading a DevTools-specific URL), which is more obvious and could trigger an investigation.

The port scan normally consists of a request to a devtools-specific URL, but with this vulnerability, attackers can also change the port scan by repeatedly loading <iframe src="http://127.0.0.1:PORT"></iframe>. Those who are unaware of this bug will not discover what the attacker is trying to achieve.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/376776f18aa5a445c13c46f5f7e573c1dad65c5a

commit 376776f18aa5a445c13c46f5f7e573c1dad65c5a
Author: Rob Wu <rob@robwu.nl>
Date: Tue Mar 13 10:15:21 2018

Use no-referrer and safe CSS for DevTools discovery page

BUG= 813541 

Change-Id: Ia73c5201d874ab2a52ecd30476e09d9a1b6d56db
Reviewed-on: https://chromium-review.googlesource.com/924702
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Rob Wu <rob@robwu.nl>
Cr-Commit-Position: refs/heads/master@{#542756}
[modify] https://crrev.com/376776f18aa5a445c13c46f5f7e573c1dad65c5a/chrome/browser/devtools/frontend/devtools_discovery_page.html

The commit above fixes the problem, and it landed in Chrome 67.0.3369.0.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Thanks rob@ - $500 for this report, given on the severity assessment from comment 2.