Bug Opens Chrome to Easy Remote Code Execution 61
Orome1 writes "ACROS Security notified Google about a peculiar behavior of the Chrome browser that can be exploited for execution of remote code outside Chrome sandbox under specific conditions. It is another case of file planting, where an application loads a data file (as opposed to binary file, leading to binary planting) from the current working directory. Google decided that this was not a vulnerability, but rather a 'strange behavior that [they] should consider changing.' The reason they provided was that 'the social engineering level involved here is significantly higher than "Your computer is infected with a virus, download this free anti-virus software and run the exe file to fix it."'"
Unnecessary... (Score:1)
Why is that even necessary? Remote libs could be loaded via FUSE/NFS (Linux, Solaris, Mac OS X) mounts or SMB/CIFS (Windows). Not hard to change with no loss of functionality for corporate needs...
Re: (Score:1)
Oh my... (Score:1)
Windows (Score:2)
Go figure.
Re: (Score:3)
Linux (Score:1)
Go figure. [google.com]
Re: (Score:2)
Easy? (Score:5, Informative)
The link indicates it is far from easy. First, the user must not be using Google as the Chrome search engine, nor have used HTTPS at all during the browsing session, as either causes the window of opportunity to close until Chrome is restarted. Secondly, the attacker must trick the user into moving Chrome's CWD using Open/Save As to a network drive where they have control. THEN the attack is easy as the following HTTPS site the user visits will trigger the loading of arbitrary code controlled by the attacker. But overall it is far easier to trick a user into opening an e-mail attachment or downloading and executing arbitrary code to begin with imo...
Re: (Score:3)
Re:Easy? (Score:4, Informative)
NSS is maintained by its module owners, who happen to work at Google at the moment. At least one of them is on the Chrome team.
Mozilla hosts the bug tracker and code repository.
So NSS is maintained by Mozilla about the same way as the Linux kernel is maintained by kernel.org.
Re: (Score:1)
Seems to be a very small subset of users that would be affected. I wonder what % of Chrome users are using a different search engine... I'd bet its a pretty small# on just the first caveat.
Chrome also runs as root (Score:3)
Ironically Chrome magnifies the importance of security holes that escape the sandbox by it's design. Chrome retains root privledges by default. you can turn this off but then it won't update. That is chromes update manager downloads and installs and exectutes code automatically with root privledges. it does not require you to enter your password to do this.
Thus if an exploit can re-direct chrome into trusting other URLs than it should it's var more of a security hole than it would be if chrome did not re
Re: (Score:3)
Bug or Feature? (Score:1)
but you don't get all sorts of popups and new tabs spamming you about it like with firefox.
Is this a bug or feature?
I vote bug!
Re: (Score:2)
A many kloc network client and the choice to either run it with root privileges or update it with a popup...
In my universe the answer would be DROP ROOT PRIVILEGES OBVIOUSLY... or install an updater and run that one only as root.
web2py, a python project, autoupdates and I don't recall having seen anything about running as root on windows. If so, why google can't do that too...
Re: (Score:3)
Re: (Score:2)
Why would you run it as root for the update function instead of using your distro's repositories?
I was rather surprised to note that Gentoo was current with Chromium. Firefox is still at 3.6.20. Still no Chrome though.
Re: (Score:1)
Firefox was updated to 7.0 fairly quick after release, same with 6.0 and 5.0. 4.0 has been too long for me to remember how long it took. http://packages.gentoo.org/package/www-client/firefox [gentoo.org]
Chrome I can't comment on how quickly it stays updated but it is very much in the package manager. http://packages.gentoo.org/package/www-client/google-chrome [gentoo.org]
Re: (Score:2)
I run stable.
google-chrome is masked
Firefox is 3.6.20
Re: (Score:1)
As far as google-chrome goes only the alpha builds are hard masked.
As for them not being in stable I can't say I know, but the issue appears to be one similar to not wanting to enable backports in debian and not understanding why you're also still one Firefox (sorry, iceweasel) 3.6.20. It sounds like a non-issue to me.
You can also specify that you want the "unstable/testing" versions of those packages fairly easily and painlessly.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
You get UAC popups in Firefox because it is installed in %ProgramFiles%
You don't get UAC popups with Chrome because it is installed in %UserProfile%\AppData\Local\
Chrome doesn't have any administrative privileges.
Re: (Score:2)
> The link indicates it is far from easy.
That's more of an argument for security through obscurity.
Chrome implements Native Code Execution* in a web browser and it was a bone-headed move from the start. The only technology I can think of that may be more idiotic is executing code handed off from an email attachement. And look where that got us. Google assumed a huge liability implementing NCE and this proves you cannot take that kind of gamble because you simply cannot make a guarantee about absolute bu
Re: (Score:1)
This has nothing to do with NaCl (which I'm assuming you are referring to by "native code execution") and you should be ashamed for trying to pin this on it. Feel free to actually read the whitepapers on NaCl and look into the internals of how it works.
Re: (Score:2)
Re: (Score:2)
That's more of an argument for security through obscurity.
No, it's saying that something which requires an extremely elaborate feat of social engineering and even when pulled off successfully is able to affect only a small fraction of the user base, and only some of the time, is not very much of a security risk. It's undesirable behavior which they should probably change, but the chances of successfully exploiting it are vanishingly small, particularly compared to alternate attacks with much greater efficacy and lower threshold for success, and which are easier t
Grandma (Score:2)
Yeah, I don't quite see Grandma falling for this... she couldn't even understand the instructions, let alone be fooled into doing this.
Re: (Score:3)
Re: (Score:2)
The link indicates it is far from easy. First, the user must not be using Google as the Chrome search engine, nor have used HTTPS at all during the browsing session, as either causes the window of opportunity to close until Chrome is restarted.
I'm curious why TFA didn't mention this: unless Chrome overwrites pkcs11.txt on each start, which I don't believe it does, then the modified pkcs11.txt will still be there for Chrome to load the next time it's launched.
Not really that much of an issue (Score:1)
Re: (Score:2)
Yeah, I wish conditions such as that lowered the priority of an exploit.
Does pkcs11.txt "Reset" After Each Run? (Score:2)
The article states that the vulnerability is triggered when a library load is added to pkcs11.txt, and it's really not a problem because as long as you are using Google as a search engine (or anything else that would load up PKCS routines before the pkcs11.txt is modified) then you are not going to run into any problems. But if pkcs11.txt does get modified because the user loads on a malicious payload, does pkcs11.txt somehow reset to its original content when Chrome is shutdown? Or is that library line s
Re: (Score:2)
It sounds like Chrome delays loading NSS until it is needed (for the first HTTPS request made). When NSS loads it loads pkcs11.txt and looks for user-definable configuration settings. The idea of changing the CWD is just because if the hacker can write to C:\pkcs11.txt (where Chrome would look for it assuming Chrome's default installation location) the hacker already has control of the PC. Changing the CWD before the first HTTPS request allows the hacker to control where Chrome looks for that file. The
Re: (Score:2)
Re: (Score:2)
Only if it can drop pkcs11.txt into the default directory. Otherwise, it goes back to hoping that the user doesn't go to any ssl sites until after they've disabled google search and saved a file in the malware-controlled directory.
Re: (Score:1)
Re: (Score:2)
Not seeing any criticality here. (Score:3)
This "hack" requires user-level privileges. "User-level" means equivalent to a non-administrator running a .exe file.
Chrome resides in the user folder rather than the Program Files folder. This is by design: a non-administrator user can install and update Chrome, without the installer/updater having to ask for administrator privileges.
In other words, if user-level code can update Chrome, user-level code can just as easily mess with Chrome itself. Or, for that matter, encrypt the user's data files using long encryption keys, then pop up messages telling the user "pay us $50 and we'll give you the encryption key to get your data back". Yes, that's a problem, and the problem is users who run executable files that they shouldn't. While non-administrator users shouldn't have the ability to hose their OS, they can easily hose their data. Since Chrome resides (by design) in their "data", obviously they can hose Chrome. This is no surprise.
Furthermore, web pages shouldn't be able to get user-level privileges. They'd first have to break out of the browser's sandbox. So this isn't actually remote code execution, unless there's some way to remotely execute user-level code already. And when one of those leaks is found, you bet it's a critical bug and they'll immediately start writing a patch for it.
Both this "leak" and the "floodgates" are already protected by what already protects the user from any random .exe file found on the web: the browser's sandbox, and the user himself.
Easy? (Score:2)
Unless I've missed something, the steps to cause this are long and specific, requiring a pretty much already compromised machine to cause. Not really seeing the ease, here. Or for that matter the criticality.
I agree with Google on this one.
Wat? (Score:1)
The OP has an unusual definition of easy.
Need local access (Score:2)
Re: (Score:1)
Re: (Score:2)
Am I missing something?
Yes. The default download directory is not Chrome's default working directory.
Re: (Score:2)
Note quite: the first of them has to be in the root of the CWD (e.g., on Windows, if the CWD is C:\foo\bar\baz, the file has to be in C:\), and the other one can be anywhere, since its accessed by an address provided in the first file.