[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CVE-2017-18016 - Paritytech Parity Ethereum built-in Dapp Browser <= v1.6.10 webproxy token reuse same-origin policy bypass
- From: "oststrom \(public\)" <pub AT oststrom.com>
- Subject: [FD] CVE-2017-18016 - Paritytech Parity Ethereum built-in Dapp Browser <= v1.6.10 webproxy token reuse same-origin policy bypass
- Date: Wed, 10 Jan 2018 00:55:57 +0100
- Arc-authentication-results: i=1; mx.google.com; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 2600:3c01::f03c:91ff:fe98:ff4e as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-unsubscribe:list-id:precedence:subject :content-language:thread-index:mime-version:message-id:date:to:from :delivered-to:arc-authentication-results; bh=XbOoe/hl9Q6i6+ea+JJX6PEgygMk0fpEBVapFnzNzz4=; b=wMic+utcgZizV9VZiOVlxrX7q1aMCYr2px3OsJRzusd+GTtpCEEblQC39lf4ukzC8O 46Y24UMBd3ZnFohIDYJMBvMnGst02XpBEqpRESJRE8uBJ4kuydrTd8shJ8X5+1delQj5 eJa85qGPDAfIzqxetzhUqXviILRjlISszBbR+8jBsmCprHruPeqWUODxHuQtsBuZINhR B/mFSjcxmtMj8AhtOK4MgG8otSZCMKYcCX52De3fTxhv6Aa6b2QzUWYrDWAZc+i+tWSp wNm6Tl1VKcap75FVRNDpUsJovNaHdy9lEesadDJxEYUE0etAeL2EyzrfTr8zpiEtE/6w Njfg==
- Arc-seal: i=1; a=rsa-sha256; t=1515559795; cv=none; d=google.com; s=arc-20160816; b=Smu4P7+dvtwYeZjsJPOETjn807FQTenL+B6R4LbIcwGMZK7ljcSdKS9M4YZTm0Tm9h o5+PEwsfR6pMhnHKH6ec7vQNcHUt9wHK7zrMgWR2VhoN2a65Qx1+WTVYGBydjqBhJ4K4 MSeP2LHikJmh/rgoMOUijGdInYns2FRQQ+l5wJzrh7QiG/0KeVljRllouErojgV4SH+r 6WjFatEC/7tifRlP+dQ+zhPudDx/IwX9ZIqjdfyhVCUBedEzwlRL5GVuvUrao9lDUAgH n6NlIdEnGw8hWZ1fl9EcWmbnLBxXR8ueL1hx5UYIS6Z+T9LD7q4WJCGEigGYXRHnVGiX 3CYg==
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- Thread-index: AdOJpTurN76c+l+HQGuKYiILtDw7aQ==
- To: <fulldisclosure AT seclists.org>
Date: Jun 16th, 2017
Tag: parity same origin policy bypass webproxy token reuse
References: * https://parity.io/ 
Latest Version: 1.7.12 (stable) - fixed
1.8.5 (beta) - fixed
Other Versions: <= 1.6.10 (stable) - vulnerable
Technology: rust js
Vuln Classes: CWE-346
Origin: local (remote website, malicious dapp)
Min. Privs.: ---
quote website 
>Parity Technologies is proud to present our powerful new Parity Browser.
Integrated directly into your Web browser, Parity is the fastest and most
secure way of interacting with the Ethereum network.
PoC: https://tintinweb.github.io/pub/pocs/cve-2017-18016/ 
> Parity Browser <=1.6.8 allows remote attackers to bypass the Same Origin
Policy and obtain sensitive information by requesting other websites via the
Parity web proxy engine (reusing the current website's token, which is not
bound to an origin).
**(A)** Ethereum Parity's built-in dapp/web-browsing functionality is
rendering browser same-origin policy (SOP) ineffective by proxying
requests with the parity main process. As a result, any website
navigated to ends up being origin http://localhost:8080. This also means
that all websites navigated to share the same origin and thus are not
protected by the browser SOP allowing any proxied website/dapp to access
another proxied website/dapp's resources (Cookies, ...).
//see attached PoC - index.html / PoC
**(B)** Worse, due to the structure of proxy cache urls and the fact that
contain a reusable non-secret non-url specific cache-token it is
possible for one proxied website/dapp to navigate to any other proxied
website/dapp gaining full script/XHR control due to **(A)** the SOP being
applied without any restrictions. This could allow a malicious
website/dapp to take control of another website/dapp, performing user
interactions, XHR or injecting scripts/DOM elements to mislead the
user or to cause other unspecified damage.
When navigating to a website with the built-in parity webbrowser a webproxy
token is requested and sent along an encoded request for an url. For
parity to http://oststrom.com the url gets turned into a proxy url like
the form http://127.0.0.1:8080/web/[base32_encode(token+url)]. A malicious
dapp can use
this information to decode its own url, extract the token and reuse it for
url as the token is not locked to the url. The PoC exploits this in order to
other website into a same-origin iframe by reusing the proxy token.
Code see 
//see attached PoC - index.html / PoC
//see github  for details
Proof of Concept
* (if hosted locally) modify /etc/hosts to resolve your testdomain to your
* make `index.html` accessible on a webserver (e.g. `cd /path/to/index.html;
python -m SimpleHTTPServer 80`)
1. launch parity, navigate to the built-in webbrowser
2. navigate the built-in parity webbrowser to where the PoC `index.html` is
hosted (e.g. )
3. follow the instructions.
4. Issue 1: navigate to some websites to have them set cookies, reload the
PoC page and click "Display Cookies". Note that while the main request is
proxied by parity, subsequent calls might not be (e.g. xhr, resources). That
means you'll only see cookies set by the main site as only the initial call
shares the origin `localhost:8080`.
5. Issue 2: enter an url into the textbox and hit `Spawn SOP Iframe`. A new
iframe will appear on the bottom of the page containing the proxied website.
Note that the calling website has full script/dom/xhr access to the proxied
target. You can also use the "Display Cookies" button from Issue 1 to show
cookies that have been merged into the origin by loading the proxied iframe.
6. Demo 2: Just a PoC to find local-lan web interfaces (e.g. your gateways
web interface) and potentially mess with its configuration (e.g. router with
default password on your lan being reconfigured by malicious dapp that
excploits the token reuse issue 2)
* Commit  (first in 1.7.0)
* Does not fix Issue #1 - sites are generally put into same origin due to
* Fixes Issue #2 - Token Reuse
* Parity now added a note that browsing websites with their browser is
* Issue #1 is not yet fixed as the cookie of instagram.com is still shown.
* Parity v1.7.12 added a note.
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/