A severe Chrome bug allowed RCE on devices running a remote headless interface


Attackers could read and write arbitrary files to a device’s hard drive

A bug fixed in Chrome allowed attackers to read and write local files and install malicious scripts on devices running the browser headless interface, researchers at Contrast Security have found.

Since 2017, Chrome has included a headless mode that allows developers to run an instance of the browser without launching the user interface.

The Headless Browser can be programmatically controlled and debugged remotely and is intended to test web applications and web page functionality without human interaction.

In a proof of concept video, Contrast Security’s Matt Austin showed that by using a malicious HTML file stored locally on the device running the Headless Browser, an attacker can read the contents of sensitive files and write arbitrary files to it. the hard drive of the device.

From click hijacking to remote code execution

According to a discussion thread on the Chromium Bug Portal, an attacker can exploit the bug if a machine is running Chrome without head in debug mode.

Debugging mode enables the DevTools protocol, which allows developers to connect remotely while Chrome is running and perform tasks such as inspection, profiling, and instrumentation.

Learn about the latest news on remote code execution vulnerabilities.

The exploit works in several stages. The malicious HTML file contains an invisible iframe, placed above a button on the page to perform a clickjacking attack.

The source of the iframe is set on the Debug Portal Discovery page for the headless browser. When the user clicks it, the iframe invisibly accesses the Chrome DevTools portal and passes the WebSocket token in the URL.

Then a second iframe is created in the operation page, which uses a cross-site scripting vector (XSS) in the Chrome DevTools portal to set the href value of the page’s parent frame and the click hijack frame to the same. origin. This setting allows the page to bypass cross-origin security policies.

The WebSocket token is then passed to the exploit page, which uses it to connect to Chrome’s remote debugging protocol. From there, the exploit page can read local files and write arbitrary files to the target device.

In the POC video, the attacker stores a malicious launch agent file in the target device. Launcher Agent is a script that runs automatically when the user logs into the operating system.

High gravity bug

The bug, which was reported in July, was marked as serious and was fixed in the latest version of Chromium.

To prevent the exploit, Chromium has been fixed to prevent the integration of the DevTools discovery page as an iframe.

The discovery page has also been deprecated and it is recommended that developers use chrome: // inspect instead.

Researchers who reported the bug received a $ 3,000 bonus from the Google VRP panel.

ADVISED “Log4Shell” vulnerability poses a critical threat to applications using the “ubiquitous” Apache Log4j Java logging package


Comments are closed.