chrome protocol directory traversal

Window Snyder

3

Issue
A vulnerability in the chrome protocol scheme allows directory traversal when a “flat” add-on is present resulting in potential information disclosure.

Impact
When a chrome package is “flat” rather than contained in a .jar the directory traversal allows escaping the extensions directory and reading files in a predictable location on the disk.  Many add-ons are packaged in this way.

A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk.  Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed.  This information may be used to profile the system for a different kind of attack.

Some extensions may store information in Javascript files and an attacker may be able to retrieve those.  Greasemonkey user scripts may be retrieved using this method.  Session storage and preferences are not readable through this technique.

Users are only at risk if they have one of the “flat” packaged add-on installed.  Examples of popular add-ons that are vulnerable include: Download Statusbar and Greasemonkey.

Status

Mozilla is currently investigating this information disclosure issue and has assigned it an initial severity rating of low.  Details are available at:  https://bugzilla.mozilla.org/show_bug.cgi?id=413250

Credit

Gerry Eisenhaur first posted details of this issue along with proof of concept code at http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/.

3 responses

  1. Giorgio Maone wrote on ::

    The NoScript extension prevents chrome: URIs from being loaded as scripts in content pages, effectively making this bug unexploitable no matter if the page is trusted or not.

  2. mike wrote on :

    NoScript is useless because you can exploit this flaw with a plain HTML code without using javascript: a simple chrome link is enough to exploit this flaw to steal data!

  3. bob wrote on :

    clicking on a link in Thunderbird to open in Firefox does not work – I have to manually drag it onto Firefox.

    what do I do to fix it?

    Is it due to this newly discovered problem and what do I do to prevent it?

    if a registry issue, where at in the registry would it be?

    would reinstall of both Thunderbird and Firefox cause me to loose my settings and data?

    Thank you