Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bug Opens Chrome to Easy Remote Code Execution

Posted by Unknown on from the social-engineering-never-works dept.

Orome1 writes "ACROS Security notified Google about a peculiar behavior of the Chrome browser that can be exploited for execution of remote code outside Chrome sandbox under specific conditions. It is another case of file planting, where an application loads a data file (as opposed to binary file, leading to binary planting) from the current working directory. Google decided that this was not a vulnerability, but rather a 'strange behavior that [they] should consider changing.' The reason they provided was that 'the social engineering level involved here is significantly higher than "Your computer is infected with a virus, download this free anti-virus software and run the exe file to fix it."'"

11 of 61 comments (clear)

  1. Easy? by The+MAZZTer · · Score: 4, Informative

    The link indicates it is far from easy. First, the user must not be using Google as the Chrome search engine, nor have used HTTPS at all during the browsing session, as either causes the window of opportunity to close until Chrome is restarted. Secondly, the attacker must trick the user into moving Chrome's CWD using Open/Save As to a network drive where they have control. THEN the attack is easy as the following HTTPS site the user visits will trigger the loading of arbitrary code controlled by the attacker. But overall it is far easier to trick a user into opening an e-mail attachment or downloading and executing arbitrary code to begin with imo...

    1. Re:Easy? by The+MAZZTer · · Score: 2

      Addendum: This appears to be a bug in NSS, which is maintained by Mozilla, not Chrome. It also is reproducible on Mac, not just Windows. In addition it is not considered a security bug and is publicly view-able in the Chrome bug tracker. More reading.

    2. Re:Easy? by BZ · · Score: 3, Informative

      NSS is maintained by its module owners, who happen to work at Google at the moment. At least one of them is on the Chrome team.

      Mozilla hosts the bug tracker and code repository.

      So NSS is maintained by Mozilla about the same way as the Linux kernel is maintained by kernel.org.

    3. Re:Easy? by hairyfeet · · Score: 2

      If they have to do all of that? Its pointless there are easier ways to pwn a machine. For Windows its as easy as "ZOMG! You got teh viruz! Run "Iz_Not_Viruz_iz_Cleaner.exe' to kill it ZOMG!" or "U want teh tittez and lezbos? We got teh tittez and lezbos and so can u! Just run "Iz_Not_Bug_iz_Codec.exe' and enjoy all teh tittez and lezbos today!" and for Linux the social engineering is a little different but idea is the same and the end result is a pwned machine, see the KDE screensaver malware that went around a couple of years back, or the infected Q III arena code that actually was sitting on one of the repos being passed out for quite awhile before it got caught.

      In the end it would simply be easier to get the user to help pwn the machine FOR you than jump through this many hoops. Hell between social engineering, adobe products, and "JavaScript malware o' the day" there are now more than ever far easier ways to make a machine yours than deal with THIS much hoop jumping, it simply wouldn't be worth the effort if you can't somehow automate it.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. Re:Windows by The+MAZZTer · · Score: 2

    It appears to manifest on Mac as well. Read more.

  3. Chrome also runs as root by goombah99 · · Score: 2

    Ironically Chrome magnifies the importance of security holes that escape the sandbox by it's design. Chrome retains root privledges by default. you can turn this off but then it won't update. That is chromes update manager downloads and installs and exectutes code automatically with root privledges. it does not require you to enter your password to do this.

    Thus if an exploit can re-direct chrome into trusting other URLs than it should it's var more of a security hole than it would be if chrome did not retain root privledges.

    Note that many codes check for updates: ms word, firefox, and some even download the updates ahead of time. But only chrome installs and runs these as root without asking for your password.

    Basically it's unsafe to use chrome in any corporate or government environment

    Chrome is invasive in many ways. It even modifies your Environment variables on Macs.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Chrome also runs as root by josath · · Score: 2

      Basically they do this because they want to be able to update the browser silently. The update process for firefox involves dialogs popping up, you have to OK them, then next time firefox restarts you have to approve a UAC prompt (on windows at least, I assume some kind of sudo popup on linux/mac). Chrome updates silently in the background, next time you open it you have the new version, but you don't get all sorts of popups and new tabs spamming you about it like with firefox. Also updating chrome doesn't disable half your extensions which is nice.

      --
      sig? uhh, umm, ok
    2. Re:Chrome also runs as root by Nimatek · · Score: 2

      Why would you run it as root for the update function instead of using your distro's repositories?

    3. Re:Chrome also runs as root by Stormtrooper42 · · Score: 2

      Not on Windows
      You get UAC popups in Firefox because it is installed in %ProgramFiles%
      You don't get UAC popups with Chrome because it is installed in %UserProfile%\AppData\Local\

      Chrome doesn't have any administrative privileges.

  4. Not seeing any criticality here. by _0xd0ad · · Score: 2

    This "hack" requires user-level privileges. "User-level" means equivalent to a non-administrator running a .exe file.

    Chrome resides in the user folder rather than the Program Files folder. This is by design: a non-administrator user can install and update Chrome, without the installer/updater having to ask for administrator privileges.

    In other words, if user-level code can update Chrome, user-level code can just as easily mess with Chrome itself. Or, for that matter, encrypt the user's data files using long encryption keys, then pop up messages telling the user "pay us $50 and we'll give you the encryption key to get your data back". Yes, that's a problem, and the problem is users who run executable files that they shouldn't. While non-administrator users shouldn't have the ability to hose their OS, they can easily hose their data. Since Chrome resides (by design) in their "data", obviously they can hose Chrome. This is no surprise.

    Furthermore, web pages shouldn't be able to get user-level privileges. They'd first have to break out of the browser's sandbox. So this isn't actually remote code execution, unless there's some way to remotely execute user-level code already. And when one of those leaks is found, you bet it's a critical bug and they'll immediately start writing a patch for it.

    Both this "leak" and the "floodgates" are already protected by what already protects the user from any random .exe file found on the web: the browser's sandbox, and the user himself.

  5. Re:Linux by nyfle · · Score: 2

    So Linux really is more secure than Windows! ;) You, er, left out a '+' in the above URL. Go figure.