Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebTorrent http server XSS #5821

Closed
feross opened this issue Aug 27, 2019 · 3 comments · Fixed by brave/brave-core#3271
Closed

WebTorrent http server XSS #5821

feross opened this issue Aug 27, 2019 · 3 comments · Fixed by brave/brave-core#3271

Comments

@feross
Copy link
Collaborator

feross commented Aug 27, 2019

Description

There's a low risk XSS in the WebTorrent http server. It relies on getting the user to visit an HTML page served by the WebTorrent http server but that we do not expose to Brave users in any UI or user flows.

The following steps are required to pull this off:

  • User clicks a link to a .torrent file or magnet link which contains a specially-crafted torrent title or file name.
  • The user starts downloading the torrent in Brave
  • The user right-clicks one of the 'Save File' links and selects 'Copy Link Address'
  • The user modifies the copied URL on their clipboard so they visit the homepage instead of the copied URL. For example, if the copied URL is http://localhost:12345/0/file.mp4, then the user would need to modify it to visit http://localhost:12345, the server index page (which lists the files in the torrent).
  • Now, the attacker's JavaScript code runs in the context of the http://localhost:12345 origin.

An alternative way to trigger this is:

  • User clicks a link to a .torrent file or magnet link which contains a specially-crafted torrent title or file name.
  • The user starts downloading the torrent in Brave
  • Attacker code running in an unrelated origin in another tab attempts to iframe all possible http://localhost:<port> combinations until they find the one that WebTorrent is using.

The reason this seems relatively low risk is that the WebTorrent HTTP server only allows fetching data pieces from the torrent. It doesn't support any other control of the torrent client. Furthermore, even if the attacker attacked the HTTP server itself somehow (e.g. via a malformed request) the HTTP server is being run in a sandboxed Chrome extension context, so potential for damage seems limited.

The only thing the WebTorrent http server origin can do is fetch pieces of the torrent. This origin is distinct from the WebTorrent extension origin, which does not contain an XSS. It seems that the most attacker code can do is e.g. figure out what content the user is downloading and exfiltrate that information to an external server.

The attacker could also install a service worker on localhost:12345 and attempt to interfere with whatever server may run on that port in the future.


Steps to Reproduce

Copied from H1 report.

  1. Open hxxps://exec.ga/browser/brave/xss.torrent in Brave Browser.
  2. Click "Start Torrent" button
  3. Copy link address of "Save File" button.
  4. Paste it to URL bar with only hostname and port (e.g. hxxp://localhost:8080).

Actual result:

  1. Alert will be popped up.

Expected result:

  1. Alert should not popup.

Reproduces how often:

Easily reproduced

Brave version (brave://version info)

Version 0.71.41 Chromium: 76.0.3809.132 (Official Build) nightly (64-bit)

Version/Channel Information:

  • Can you reproduce this issue with the current release?
  • Can you reproduce this issue with the beta channel?
  • Can you reproduce this issue with the dev channel?
  • Can you reproduce this issue with the nightly channel? Yes

Other Additional Information:

  • Does the issue resolve itself when disabling Brave Shields? No
  • Does the issue resolve itself when disabling Brave Rewards? No
  • Is the issue reproducible on the latest version of Chrome? No

Miscellaneous Information:

@feross feross added this to To do in WebTorrent via automation Aug 27, 2019
feross added a commit to brave/brave-core that referenced this issue Aug 27, 2019
@feross
Copy link
Collaborator Author

feross commented Aug 27, 2019

Fixed in webtorrent@0.107.6.

webtorrent PR: webtorrent/webtorrent#1714
brave-core PR: brave/brave-core#3271

WebTorrent automation moved this from To do to Done Aug 28, 2019
@yrliou yrliou added this to the 0.71.x - Nightly milestone Aug 28, 2019
@yrliou
Copy link
Member

yrliou commented Sep 16, 2019

Changed milestones to 0.69.x because WebTorrent is upgraded to 0.107.16 in 0.69.x by brave/brave-core#3450.

@kjozwiak
Copy link
Member

kjozwiak commented Sep 27, 2019

Verification PASSED on macOS 10.14.6 x64 using the following build:

Brave 0.69.129 Chromium: 77.0.3865.90 (Official Build) (64-bit)
Revision 58c425ba843df2918d9d4b409331972646c393dd-refs/branch-heads/3865@{#830}
OS macOS Version 10.14.6 (Build 18G95)

Reproduced using 0.68.141 CR: 77.0.3865.90

Screen Shot 2019-09-27 at 1 57 26 AM

Verified using 0.69.129 CR: 77.0.3865.90

Screen Shot 2019-09-27 at 1 53 44 AM

Verification passed on

Brave 0.69.129 Chromium: 77.0.3865.90 (Official Build) (64-bit)
Revision 58c425ba843df2918d9d4b409331972646c393dd-refs/branch-heads/3865@{#830}
OS Windows 10 OS Version 1803 (Build 17134.1006)

Reproduced using 0.68.141 CR: 77.0.3865.90

image

Verified using 0.69.129 CR: 77.0.3865.90

image

Verification passed on

Brave 0.69.129 Chromium: 77.0.3865.90 (Official Build) (64-bit)
Revision 58c425ba843df2918d9d4b409331972646c393dd-refs/branch-heads/3865@{#830}
OS Ubuntu 18.04 LTS

image
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants