Full Report
Chrome extensions have lots of power but do have limitations. They can read the DOM but they can't execute exe files, change settings or many other things. Securing Chrome Extensions from taking over your computer is an important security model of the browser. File extensions are weird. Extensions can't read files, unless the "allow access to file URLs" flag is turned on. Some apps, like Text App, are able to edit local files as well. Being able to read or write to arbitrary files would be real bad for the system. ChromeOS is a super weird OS based upon Chrome. There are no executable files and you do everything in your browser. Since the OS settings are coupled, a user accesses files through chrome://file-manager or settings through chrome://os-settings. If an extension can run code within the context of one of these pages on chrome:// it can do whatever it wants to the system. The author was poking around the chrome://file-manager page when they saw the URL filesystem:chrome://file-manager/external/Downloads-878f28a3486b11359f7db348414fed3b5a15e573/file.txtt in local storage of the website. Functinoality, this is just like the file:// URL but not with as many restrictions. From this, they started playing to see what permissions this had and what could be done. They opened a file that had HTML and simple JavaScript tags in it. To his surprise, it worked! No CSP blocked it or anything else. This is super weird, especially considering the creation of trusted types and other things. With XSS on the super privileged URI chrome://, they knew this could be a big one. So, they dove into what this page had access to. They could read other pages, issue requests to preferences, read/write local files and more. Hype! But how do we get the user to execute this, especially with the random hash in the file name? A Chrome extension can easily download files; so, this isn't a problem. To get the hash, it's simply a hash of the username that can be queried from the standard Chrome extension APIs. With this, they could download a file, read the hash, open the file and perform very bad actions on the device. Awesome! While reviewing other sections, they found a very similar bug on the filesystem:chrome-extension URI that is specific to each chrome extension. The URL can read from chrome://resources. The more important thing is that it can execute scripts in the context of this page as well, giving another Chrome XSS! This bug existed for 7 years within Chrome! That's pretty wild for how impactful this bug is. But why does this occur? ChromeOS extended the legacy filesystem URL but didn't consider that this could be rendered from the browser since it was never meant to be. Since protections were never put in place, it led to an easy XSS. The privilege escalation itself was a change made to make the filesystem:chrome:// a real Chrome URI, giving it access to more features. This small change allowed for the XSS to go too far. The author has a great takeaway from this... "I think this type of bug is really interesting because it shows that vulnerabilities don't always come from simple mistakes; sometimes, decade-long design choices in massive and complex projects like Chrome/ChromeOS can be exploited in creative ways. "
Analysis Summary
# Vulnerability: ChromeOS Privilege Escalation via filesystem:chrome:// XSS
## CVE Details
- **CVE ID:** CVE-2023-4369 (File Manager Bug)
- **CVSS Score:** N/A (Google rewarded $10,000 across two reports; high-severity impact due to sandbox escape)
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)
## Affected Systems
- **Products:** Google ChromeOS
- **Versions:**
- **File Manager Bug:** Specifically affected versions 115.0.5790.98 through 115.0.5790.170 (approx. one month window).
- **Image Loader Bug:** Reported to exist in versions as old as ChromeOS 99.
- **Configurations:** Systems utilizing the `WebUIConfig` implementation for Chrome privileged pages.
## Vulnerability Description
The vulnerability stems from a design oversight where ChromeOS extended the legacy `filesystem:` URL scheme without implementing standard security restrictions (like Content Security Policy) for browser rendering.
Specifically, two flaws were identified:
1. **File Manager XSS:** By navigating to a URI such as `filesystem:chrome://file-manager/external/Downloads-[HASH]/file.html`, an attacker could execute JavaScript in the context of the highly privileged `chrome://file-manager` origin.
2. **Image Loader XSS:** A similar flaw existed in the `filesystem:chrome-extension://[ID]/` URI, allowing script execution via the Image Loader extension context, which could access `chrome://resources`.
The privilege escalation occurred because `chrome://` pages on ChromeOS are coupled with OS-level settings, allowing an attacker with XSS on these origins to read/write local files, modify network settings, and interact with device preferences.
## Exploitation
- **Status:** PoC available (demonstrated to Google VRP); patched.
- **Complexity:** Low to Medium (Requires knowledge of a user-specific hash, which is obtainable via standard extension APIs).
- **Attack Vector:** Local/Logical (Typically initiated by a malicious or compromised Chrome Extension).
## Impact
- **Confidentiality:** High (Ability to read arbitrary local files and system preferences).
- **Integrity:** High (Ability to modify system settings and write to the local filesystem).
- **Availability:** Medium (Potential to disrupt system settings or delete files).
## Remediation
### Patches
- **ChromeOS 116.0.5845.120**: Contains the fix for CVE-2023-4369 and the associated Image Loader bug.
- **Code Fixes:**
- Updated `WebUIConfig` to correctly handle/restrict `filesystem:chrome://` and `blob:chrome://` URLs.
- Blocked `/external` files from being rendered directly in the browser.
### Workarounds
- No manual workarounds are provided; users must update to the latest version of ChromeOS to ensure the `WebUI` navigation restrictions are in place.
## Detection
- **Indicators of Compromise:** High-frequency downloads of HTML/JS files followed by immediate attempts to open `filesystem:chrome://` or `filesystem:chrome-extension://` URIs.
- **Detection Methods:** Monitoring for extensions requesting excessive permissions (specifically `downloads` combined with `identity` to calculate the user hash) and observing unauthorized navigation to privileged internal schemes.
## References
- **Vendor Advisory:** [https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-chromeos_25.html](https://chromereleases.googleblog.com/2023/08/stable-channel-update-for-chromeos_25.html)
- **Chromium Issue Tracker:** [https://bugs.chromium.org/p/chromium/issues/detail?id=1464456](https://bugs.chromium.org/p/chromium/issues/detail?id=1464456)
- **Technical Write-up:** [https://derineryilmaz.com/uncovering-a-crazy-privilege-escalation-from-chrome-extensions/](https://derineryilmaz.com/uncovering-a-crazy-privilege-escalation-from-chrome-extensions/)