Google Chrome Developer Tools vulnerability exploit-vulnerability warning-the black bar safety net

2014-02-27T00:00:00
ID MYHACK58:62201442567
Type myhack58
Reporter 佚名
Modified 2014-02-27T00:00:00

Description

0x00 introduction

The story originated in the Chromium source code in the named InjectedScriptSource.js files, this file is responsible for the console in the command execution. Maybe a lot of people would say:

【Wait! Why is the JavaScript in charge of the command execution,Chromium/Chrome is not written in C++?】

Yes. Chromium/Chrome's most definitely not written in javascript,but the devtools are actually some web pages. As a simple proof,you can try in the browser to access the following URL,you can see it and the console has the exact same structure.

chrome-devtools://devtools/bundled/devtools.html

Okay, I admit started to digress. Let's go back to the original problem. In the file InjectedScriptSource. js 6 2 4 lines, in the named _evaluateOn of the function, we can see such a code:

1

2

3

4

prefix = "with ((console && console. _commandLineAPI) || { proto: null }) {";

suffix = "}";

// snip

expression = prefix + "\n" + expression + "\n" + suffix;

This is a very important function, because some special function, for example: copy('a String to Clip Board') and clear()have been added here. However, these functions are class CommandLineAPI members.

0x01 vulnerability 1

Everything from here becomes interesting. Because I have an idea, you can put the ECMAScript 5 Getters and Setters use. Because the developer tools will always be in the user input command when trying to give the user some command completion suggestions. Through the developer tool of this characteristic, we can use Getters and Setters to construct a function, implemented in a user input command to process is to perform the user input. This means that when the user presses Enter before the command has been executed.

1

2

3

4

5

Object. defineProperty(console, '_commandLineAPI', {

get: function () {

console. log('A command was run');

}

});

0x02 simply disabling console access

Here, using ideas and FaceBook is about the same.

1

2

3

4

5

Object. defineProperty(console, '_commandLineAPI', {

get: function () {

throw 'Console Disabled';

}

});

As you can see,as long as we in the _commandLineAPI be retrieved when the exception is thrown you can simply disable console command execution.

0x03 introduction II

At the beginning to explain the more interesting content before, I think we need to first stop the footsteps, and then to talk about JavaScript topic. Let us first take a look at the following example:

1

2

3

4

5

6

function argCounter() {

console. log('This function was run with' + arguments. length + ' arguments.');

}

argCounter(); // 0

argCounter('Hello', 'World') // 2

argCounter(1, 2, 4, 8, 1 6, 3 2, 6 4)

As we all know, here in the arguments is not actually an array, but an object. This is also why a lot of people will use the following method to convert the object to a traditional array:

1

var args = Array. prototype. slice. call(arguments)

? One reason is that the object has some reserved fields, such as:the callee is. Here we can give an example:

1

2

3

4

5

6

7

8

9

1 0

1 1

1 2

1 3

1 4

1 5

1 6

1 7

1 8

1 9

2 0

2 1

2 2

2 3

// Traverse an object looking for the 'World' key value

var traverse = function(obj) {

// Loop each key

for (var index in obj) {

// If another object

if (typeof obj[index] === 'object') {

// Recursion yay!

arguments. callee(obj[index]);

}

// If matching

if (index === 'World') {

console. log('Found world:' + obj[index]);

}

}

};

// Call traverse on our object

traverse({

'Nested': {

'Hello': {

'World': 'Earth'

}

}

});

I think this aspect of the content should be relatively rare. But when it comes to rare, May to the arguments. callee. caller has understood that people, relatively speaking, will be less. It allows the script to reference that calls it function. Can say its practical usefulness is not large, but I still try to write an example:

1

2

3

4

5

6

7

8

9

1 0

1 1

1 2

1 3

1 4

1 5

1 6

// Print the ID of the caller of this function

function call_Jim() {

// Get the calling function name without the call_Jim_as part

return 'Hi' + arguments. callee. caller. name. substring('call_Jim_as_'. length) + '!';

}

// Call Jim as John

function call_Jim_as_John() {

return call_Jim();

}

// Call Jim as Luke

function call_Jim_as_Luke() {

return call_Jim();

}

// Test cases

[1] [2] [3] [4] [5] [6] next