[HN Gopher] Microsoft Edge (Chromium) - Elevation of Privilege t... ___________________________________________________________________ Microsoft Edge (Chromium) - Elevation of Privilege to Potential RCE Author : wglb Score : 118 points Date : 2020-01-03 20:55 UTC (1 days ago) (HTM) web link (leucosite.com) (TXT) w3m dump (leucosite.com) | ptx wrote: | This relies on two different XSS bugs where the page displays | messages by just jamming them straight into the HTML output | rather than properly encoding text to HTML. This technique - | reusing the unprocessed input straight up as the output - doesn't | seem like the first tool people ought to reach for just to | display a simple string, so maybe the frameworks and templating | libraries used make it far too easy to do the wrong thing? | | In Mithril, for example, injecting raw HTML requires you to | explicitly call the _trust_ method[1], so doing it wrong is more | work than doing it right, and the documentation is very clear | about the risks of trusting data. | | In Thymeleaf, displaying text uses _th-text_ , injecting raw HTML | uses _th-utext_ and the documentation[2] in clear on the | difference, but this seems a bit more subtle and easy to miss for | those who aren 't familiar with the consequences. | | Microsoft's ASP.NET, from what I can tell, used to[3] do it the | PHP-style wrong-by-default way, relying on developers' unfailing | vigilance in remembering to call _Html.Encode_ every single time | they display a value if they wanted to avoid XSS, but in version | 4 syntax was added for displaying values as text by default. | Their newer Razor templating library apparently[4] also does the | right thing. | | So... maybe these pages were created in old-style ASP.NET? Or | have newer libraries recreated the mistakes of the past? | | [1] https://mithril.js.org/trust.html | | [2] | https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.h... | | [3] https://weblogs.asp.net/scottgu/new-lt-gt-syntax-for-html- | en... | | [4] https://blog.slaks.net/2011/01/dont-call-htmlencode-in- | razor... | londons_explore wrote: | Whenever I read about bugs in Chrome, they are very complex multi | step processes that were probably found with a fuzzer. | | This bug I see in Chromium based Edge looks like anyone could | stumble across it, is far simpler, and smells like a lot less | effort went into secure architecture design. | ChrisSD wrote: | > The one thing that is unique about the [New Tab Page] in the | new Edge is that it's actually an online website | | > [The New Tab Page] is actually a higher privileged page. | | This combination sounds risky no matter how you slice it. Amongst | other things, your user's browser security now depends on the | security of your user facing web site. | userbinator wrote: | I'm one of those who think that if you open a new tab or | window, the only thing it should show is a blank page with the | address bar focused, but I'm probably in the minority... | kerng wrote: | Totally agree, the first thing i always do is to change all | those default settings to have a more slick setup. A easy | setup option to achieve that would be neat. | | This applies to Firefox also unfortunately... | jfk13 wrote: | Firefox lets you choose "Blank Page" for new windows and | tabs in about:preferences#home -- isn't that easy enough? | bobbylarrybobby wrote: | Safari does that but can also show your (locally stored) | bookmarks/favorites, which is a handy addition | war1025 wrote: | That is what I'd prefer as well. I thought Firefox had taken | away the ability to set the new tab page to `about:blank` but | I just checked and it seems that it does direct to there now. | For a while the best I could do was to turn off all the | widgets on their default "home" screen. | ocdtrekkie wrote: | Another scary thing about Edge I hope they choose to amend in | the future: Edge "stories" on the new tab page often include | Outbrain/Taboola "stories". This means you can actually be one- | click from launching Edge to a Windows support scam popup page. | | I originally looked at Edge as a very secure browser choice | until I realized Microsoft's zeal for ad revenue meant it | literally came with malicious links built-in. | geofft wrote: | Hm, how much would it cost to buy a "Experts Say This | Software Is More Effective Than Antivirus" ad on the Edge new | tab page that encourages you to download Chrome? | 4684499 wrote: | > The one thing that is unique about the [New Tab Page] in the | new Edge is that it's actually an online website | | IIRC Chrome used to use https://www.google.com/_/chrome/newtab as | its ntp. | londons_explore wrote: | But it wasn't privileged. Specifically, it had access to a | magic chrome:// URL which allowed listing the most recently | used URL's in an opaque way (ie. so that if google went evil, | they still couldn't see what your most visited site was or view | it's thumbnail, despite it rendering on their webpage). | spaceribs wrote: | These are awesome finds, but also pretty troubling lack of care | on both Microsoft and Chrome. | | 1. Why don't chrome:// pages have at least basic CSP setup to | mitigate XSS? | | 2. Why isn't Microsoft using some sort of framework which | abstracts them from direct DOM access? | Lammy wrote: | RE: #1, I think it's probably just one of those assumptions | that passes over our collective heads until we have a wake-up | call, like the need for TLS over leased fiber in the wake of | the PRISM/MUSCULAR revelations. I could totally see a | hypothetical "chain of changes" that lead to something like a | lack of exploit mitigations on internal/preference pages. Those | kind of interfaces used to be implemented with native OS GUI | controls (or some facsimile like XUL), and I assume the | collective thinking toward their security didn't get rethought | much when Chrome et al implemented them with web controls. | Considering I'm here commenting about it and not discovering | this myself just makes me thankful these things get found at | all :) ___________________________________________________________________ (page generated 2020-01-04 23:00 UTC)