Google Chrome Extension Vulnerability ( CVE-2018-6140 )


Allowing the chrome.debugger API to attach to Web UI pages in DevTools in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension.

##The Chrome Debugger API

The chrome.debugger API serves as an alternate transport for Chrome’s remote debugging protocol. Use chrome.debugger to attach to one or more tabs to instrument network interaction, debug JavaScript, mutate the DOM and CSS, etc.Use the Debuggee tabId to target tabs with sendCommand and route events by tabId from onEvent callbacks.

##Arbitrary Code Execution

In computer security, arbitrary code execution (ACE) is used to describe an attacker’s ability to execute arbitrary commands or code on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE).

Cross-site scripting (XSS)

It is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets permanently stored –And displayed Attack based on uploading a script Other users inadvertently download it –And run it.

Effects of XSS

Arbitrary malicious script executes on user’s machine in context of his web browser. At best, It runs with privileges of the site storing the script . It is often likely to run at full user privileges

##Types of Exploits ###PoC Exploit (Proof of content) An attack against a computer or network that is performed only to prove that it can be done. It generally does not cause any harm, but shows how a hacker can take advantage of a vulnerability in the software or possibly the hardware.

###Zero-day Exploit A malware attack that takes place after it is discovered and before the vendor of the vulnerable software deploys a patch, typically to the OS or Web browser. If only the software vendor becomes aware of it, the tendency is to keep the problem under wraps until a patch has been created to fix it. However, in many cases, vendors announce the flaw because users can then steer clear of the infected website or be sure to avoid opening a certain email attachment


There is an XSS vulnerability in chrome://downloads that allows an extension to run a program without user interaction. The only requirement is that the user installs or upgrades to a malicious extension. Together, web pages can run arbitrary code outside Chrome with two clicks at a specific spot in a web page. After this bug there is even an explicit check that verifies that dangerous operations are initiated by a user gesture. The DevTools protocol can run scripts with a user gesture, so this check is rendered useless. Three different ways to run arbitrary code in WebUI pages via DevTools are found:

1) Chrome Extensions are able to intercept these requests and replace the content with arbitrary data, and thus run arbitrary JavaScript code at chrome-devtools://devtools. Arbitrary network resources and local files can be read in this way, and if there is a debuggable Node.js app, then this vulnerability can also be used to launch arbitrary processes.

2) chrome-devtools://devtools/remote/ loads a remote site remote site and grants privileged APIs to this page.

3) chrome-devtools://devtools/remote/ loads remote resources via Front end app. This site hosts old versions of the DevTools frontend, including several versions with a XSS vulnerability, e.g. DevTools

All of these vulnerabilities allow an extension to launch external programs without further user interaction through this bug. Even if these bugs are fixed, then this vulnerability can still be exploited through the remote debugging protocol. In that situation, the data in the browser is naturally no longer secure. However, it should not be possible to also compromise the whole system via arbitrary executables.


CVSS v3.0 Severity and Metrics

Base Score: 8.8 HIGH

Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (V3 legend)

Impact Score: 5.9

Exploitability Score: 2.8

Attack Vector (AV): Network

Attack Complexity (AC): Low

Privileges Required (PR): None

User Interaction (UI): Required

Scope (S): Unchanged

Confidentiality (C): High

Integrity (I): High

Availability (A): High

CVSS v2.0 Severity and Metrics:

Base Score: 9.3 HIGH

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) (V2 legend)

Impact Subscore: 10.0

Exploitability Subscore: 8.6

Access Vector (AV): Network

Access Complexity (AC): Medium

Authentication (AU): None

Confidentiality (C): Complete

Integrity (I): Complete

Availability (A): Complete

Additional Information:

Victim must voluntarily interact with attack mechanism Allows unauthorized disclosure of information Allows unauthorized modification Allows disruption of service

##Steps to Reproduce

  1. Download, create a directory and unzip it to the directory.
  2. Visit chrome://extensions, enable developer mode and load the unpacked extension.
  3. Wait a little bit, observe that chrome://downloads is opened

##Watch What Happens : Now the following happens (see video): -The PoC performs XSS in chrome://downloads - The PoC bypasses the dangerous file check (Chrome 55+, thanks to the bug) - The PoC launches an external program via the downloaded vbs script. Load the attached extension, and observe that paint is launched (on Windows). The extension uses bug 1 + bug 2 to run scripts in chrome://downloads. See the video for a demonstration. This vulnerability can be exploited as follows: - Via vulnerabilities that allow web pages to open privileged URLs. - Via Chrome extensions (that intentionally open such URLs). - Via Chrome extensions (that inadvertently open such URLs, by performing navigations on behalf of external/network request - this is not uncommon and has happened even in Google-authored extensions) - Via the omnibox (pasting or drag-and-drop)