Chrome: bypass for download filetype blacklist, extension->native privesc

2017-02-26T00:00:00
ID SSV:92718
Type seebug
Reporter Root
Modified 2017-02-26T00:00:00

Description

This bug report describes a vulnerability that can be used by an extension with some permissions to escalate to native code execution on Linux desktops if Java is installed. No user interaction is required.

Chrome permits extensions with appropriate permissions ("downloads" and "downloads. open") to download files and then open the downloaded files using a platform-dependent mechanism if the download wasn't blocked by the file extension blacklist. On Linux, xdg-open is responsible for handling requests to open files. It attempts to determine a MIME type using the file extension and magic bytes at the start of the file using information from /usr/share/mime. Then, an application is selected to open the file, e.g. using information from the *. desktop files in /usr/share/applications.

The openjdk-7-java. desktop file registers "java-jar" as the command using which the MIME-types application/x-java-archive, application/java-archive and application/x-jar should be opened. The MIME database describes the following properties of the MIME type application/x-java-archive:

has the alias: application/java-archive has the alias: application/x-jar matches: files with name *. jar is child of application/zip is the parent of application/vnd. android. package-archive

application/vnd. android. package-archive, in turn, matches files with name *. apk.

This means that, if a . apk file is encountered and no specific handler is registered for application/vnd. android. package-archive, xdg-open falls back to application/x-java-archive and runs the . apk file with "java-jar". Chrome does not blacklist *. apk (except on Android), so this bypasses the file extension blacklist.

The rule for the APK files comes from https://cgit.freedesktop.org/xdg/shared-mime-info/tree/freedesktop.org.xml.in , so it is probably effective across most distros.

A remaining problem is that chrome. downloads. open() requires a user gesture. Since it would be neat if this attack worked without any user interaction, I looked for a bypass, and there is one: The Input. dispatchMouseEvent method of the browser debug protocol supports faking input events that count as user gestures. This method can be invoked through the chrome. the debugger API by any extension with the "debugger" permission. (Another way to bypass this restriction would be to compromise a renderer in blessed extension context and then send a crafted ExtensionHostMsg_Request with user_gesture=true.)

VERSION

Chrome Version: 54.0.2840.100 stable Operating System: Linux, Ubuntu

REPRODUCTION CASE

  1. Unzip the attached chrome-ext-to-native-linux.zip.
  2. Load the resulting folder as an unpacked extension.
  3. gnome-calculator should appear.

Attachment: chrome-ext-to-native-linux.zip

Upstream bug: https://bugs.chromium.org/p/chromium/issues/detail?id=666824

The APK part is fixed in https://chromium.googlesource.com/chromium/src.git/+/49d4920a95c5f0796a4bfc807c66311b9134fee6 .