New issue
Advanced search Search tips
Issue 1000
Starred by 10 users
Status: New
Owner:
jannh@google.com
Cc:
project-...@google.com



Sign in to add a comment
 Chrome: bypass for download filetype blacklist, extension->native privesc
Project Member Reported by jannh@google.com, Nov 18 2016 Back to list 
This bug report describes a vulnerability that can be used by an extension with some permissions to escalate to native code execution on Linux desktops if Java is installed. No user interaction is required.


Chrome permits extensions with appropriate permissions ("downloads" and "downloads.open") to download files and then open the downloaded files using a platform-dependent mechanism if the download wasn't blocked by the file extension blacklist. On Linux, xdg-open is responsible for handling requests to open files. It attempts to determine a MIME type using the file extension and magic bytes at the start of the file using information from /usr/share/mime. Then, an application is selected to open the file, e.g. using information from the *.desktop files in /usr/share/applications.

The openjdk-7-java.desktop file registers "java -jar" as the command using which the MIME types application/x-java-archive, application/java-archive and application/x-jar should be opened. The MIME database describes the following properties of the MIME type application/x-java-archive:

has alias: application/java-archive
has alias: application/x-jar
matches: files with name *.jar
is child of application/zip
is parent of application/vnd.android.package-archive

application/vnd.android.package-archive, in turn, matches files with name *.apk.

This means that, if a *.apk file is encountered and no specific handler is registered for application/vnd.android.package-archive, xdg-open falls back to application/x-java-archive and runs the *.apk file with "java -jar". Chrome does not blacklist *.apk (except on Android), so this bypasses the file extension blacklist.

The rule for APK files comes from https://cgit.freedesktop.org/xdg/shared-mime-info/tree/freedesktop.org.xml.in , so it is probably effective across most distros.


A remaining problem is that chrome.downloads.open() requires a user gesture. Since it would be neat if this attack worked without any user interaction, I looked for a bypass, and there is one: The Input.dispatchMouseEvent method of the browser debug protocol supports faking input events that count as user gestures. This method can be invoked through the chrome.debugger API by any extension with the "debugger" permission. (Another way to bypass this restriction would be to compromise a renderer in blessed extension context and then send a crafted ExtensionHostMsg_Request with user_gesture=true.)


VERSION
Chrome Version: 54.0.2840.100 stable
Operating System: Linux, Ubuntu


REPRODUCTION CASE
1. Unzip the attached chrome-ext-to-native-linux.zip.
2. Load the resulting folder as an unpacked extension.
3. gnome-calculator should appear.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
chrome-ext-to-native-linux.zip
3.3 KB Download
Project Member Comment 1 by jannh@google.com, Dec 16 2016 
Upstream bug: https://bugs.chromium.org/p/chromium/issues/detail?id=666824

The APK part is fixed in https://chromium.googlesource.com/chromium/src.git/+/49d4920a95c5f0796a4bfc807c66311b9134fee6 .

There is no decision on the chrome.downloads.open() part yet, so I'm not marking this as fixed yet.
Project Member Comment 2 by jannh@google.com, Feb 16 2017
Labels: -Restrict-View-Commit Deadline-Exceeded
Deadline exceeded -- automatically derestricting
Project Member Comment 3 by jannh@google.com, Jun 2
Labels: Methodology-documentation-review Methodology-source-review
Comment 4 Deleted
Comment 5 Deleted
Comment 6 Deleted
Comment 7 Deleted
Sign in to add a comment