Skip to content

Commit 956074c

Browse files
MetnewMetnew
committed
feat(chrome): add CVE-2016-5217 
1 parent d81ab3e commit 956074c

File tree

1 file changed

+37
-0
lines changed

1 file changed

+37
-0
lines changed

chrome/CVE-2016-5217/README.md

+37
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
# Security: Use of unvalidated URL in PDF viewer
2+
3+
> Reported by [email protected], Oct 9 2016
4+
5+
## VERSION
6+
7+
Stable (53.0.2785.116) and latest (56.0.2886.0)
8+
9+
## Summary
10+
11+
When a PDF is opened in Chrome, the PDFium plugin is used as follows:
12+
13+
(1) <embed> by webpage -> Chrome loads PDF plugin
14+
(2) PDF plugin loads <iframe> with PDF helper extension.
15+
(3) PDF helper extension loads <embed> with privileged plugin.
16+
(4) Privileged plugin trusts any messages from the host.
17+
18+
A limited API is available between (1) and (2); for same-origin PDFs, this includes reading the content of the PDF.
19+
The plugin at (4) cannot be loaded by a web page (after bug 520422 ).
20+
21+
Now I found that (3) is web-accessible [1] *and* trusts the query string to contain the real URL (originUrl_). This URL is used for multiple security decisions, including but not limited to:
22+
- The originUrl_ can be set to a PDF that redirects elsewhere, and because the helper extension thinks that it's dealing with a same-origin PDF, it will happily leak cross-origin data.
23+
- The API for chrome://print pages is more extensive, it can be used to load any PDF, and be used to open e.g. file:-URLs in a new tab.
24+
25+
### PoC
26+
27+
I have attached a PoC for the above two examples.
28+
1. Start server.py (this is for the second example).
29+
2. If using Chrome 53, start with --isolate-extensions to force Site isolation for extensions (this is on a field trial in 53, and enabled by default in Chrome 54). This is needed to allow the chrome:// resources in the helper extension to load (otherwise the frame will run in the unprivileged tab process).
30+
3. Open http://localhost:8100
31+
4. Click on the second button, and see the content of a PDF at another origin being printed in the page.
32+
5. Click on the first button, and see file:///etc/passwd (or C:\ on Windows) being opened in a new tab (this example does not work in Chrome 54+ any more because the helper extension can no longer embed the chrome://print plugin).
33+
34+
35+
> TL;DR Use of unvalidated URL, leading to multiple issues including a same origin bypass. Site isolation made the vulnerability exploitable.
36+
37+
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=654280

0 commit comments

Comments
 (0)