Zj_W1nd's BLOG

CVE-2023-4357: Chromium任意文件读取

cve browser chromium file-read
2025/10/24

该漏洞相关的复现研究网络上已经公开的有很多资料,这里个人放上我复现过程中

背景信息和漏洞本质

这个链接是这个漏洞被发现的讨论组,我们可以在里面看到chromium维护者对这个漏洞的分析,包括真正的入口堆栈之类的讨论在这里可以找到。我们也可以从修复补丁的diff入手来思考这个问题。

从修复补丁入手

讨论组中,coimmit1f798a8525fb85be1a4aa526bdb8420f8cdced0e报告修复了这个问题,我们先来看看这个补丁。

这个补丁的关键修改就一个,剩下的是开发者们为了避免再出现这些状况添加的测试文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
diff --git a/third_party/blink/renderer/core/xml/xslt_processor_libxslt.cc b/third_party/blink/renderer/core/xml/xslt_processor_libxslt.cc
index 3f563c5..133e0b3 100644
--- a/third_party/blink/renderer/core/xml/xslt_processor_libxslt.cc
+++ b/third_party/blink/renderer/core/xml/xslt_processor_libxslt.cc
@@ -34,6 +34,7 @@
 #include "third_party/blink/renderer/core/frame/local_frame.h"
 #include "third_party/blink/renderer/core/inspector/console_message.h"
 #include "third_party/blink/renderer/core/xml/parser/xml_document_parser.h"
+#include "third_party/blink/renderer/core/xml/parser/xml_document_parser_scope.h"
 #include "third_party/blink/renderer/core/xml/xsl_style_sheet.h"
 #include "third_party/blink/renderer/core/xml/xslt_extensions.h"
 #include "third_party/blink/renderer/core/xml/xslt_unicode_sort.h"
@@ -106,6 +107,9 @@
 
   switch (type) {
     case XSLT_LOAD_DOCUMENT: {
+      XMLDocumentParserScope scope(
+          g_global_processor->XslStylesheet()->OwnerDocument());
+
       xsltTransformContextPtr context = (xsltTransformContextPtr)ctxt;
       xmlChar* base = xmlNodeGetBase(context->document->doc, context->node);
       KURL url(KURL(reinterpret_cast<const char*>(base)),

从补丁能看到,这里为libxslt加载document的case下添加了一个作用域。该函数是static xmlDocPtr DocLoaderFunc

⚠️ 注意,剩下的内容极大程度地依赖于生成式AI,可能会存在部分技术细节的错漏

简单讲一下这里作者看不懂的地方,我猜测可能读者也有一样的问题。

  1. 这里的.cc就是cpp(谷歌的风格)。

  2. scope是类XMLDocumentParserScope类的变量,这种编码方式基于C++的 “RAII”(不在这里赘述)。

这两行代码的添加的核心目的是使得在调用libxslt解析的时候也能使用OwnerDocument这一浏览器安全策略。

XMLDocumentParserScope 作为 RAII(进入/退出)封装,确保解析期间使用绑定的 OwnerDocument 安全策略(包括 URL 过滤、外部实体与加载选项)。而在此之前,解析缺少该受控作用域,导致 libxslt 默认行为(允许外部实体 + file URLs)得以生效。也就是在这之前,渲染器能自己按自己默认的策略(补充一下,libxslt是由gnome维护的,并不是chromium本身的)任意地读取文件。从url解析到最终libxslt,一个检查策略都没其作用造成了任意文件读取。在这里之后我们把原本就有的策略给这里配上做了修复。一句话来说就是,将底层库“通用 XML”能力降权为“浏览器安全模型内允许的子集”

调试

虚拟机的环境中chrome不是自己编译的,没有调试信息。在这个基础上,这个漏洞几乎没办法调试。至少我们没办法打断点。

并且作者这里编译chromium内核实在太过麻烦(存储空间,时间,代理,环境配置有很多问题),因此我建议读者可以参考下方开发者的调试堆栈阅读chromium的源码来理解这个漏洞。

这里是讨论串中当时开发者发现的漏洞调用堆栈(一直到加载文件):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#0  xmlDefaultExternalEntityLoader () at ../../third_party/libxml/src/xmlIO.c:3940            
#1  0x000055555e2453b5 in xmlLoadExternalEntity () at ../../third_party/libxml/src/xmlIO.c:4021
#2  0x000055555e22ef75 in xmlCreateEntityParserCtxtInternal () at ../../third_party/libxml/src/parser.c:13407                                                                                
#3  0x000055555e22998a in xmlParseExternalEntityPrivate () at ../../third_party/libxml/src/parser.c:12442                                                                                    
#4  0x000055555e228c6d in xmlParseReference () at ../../third_party/libxml/src/parser.c:6981  
#5  0x000055555e22e2af in xmlParseTryOrFinish () at ../../third_party/libxml/src/parser.c:11454
#6  xmlParseChunk () at ../../third_party/libxml/src/parser.c:11878
#7  0x00005555603e2246 in DocLoaderFunc() () at ../../third_party/blink/renderer/core/xml/xslt_processor_libxslt.cc:147                                                                      
#8  0x000055556079b48d in xsltLoadDocument () at ../../third_party/libxslt/src/libxslt/documents.c:319                                                                                        
#9  0x00005555607adc13 in xsltDocumentFunctionLoadDocument () at ../../third_party/libxslt/src/libxslt/functions.c:136                                                                        
#10 0x00005555607adad4 in xsltDocumentFunction () at ../../third_party/libxslt/src/libxslt/functions.c:333                
#11 0x000055555e258498 in xmlXPathCompOpEval () at ../../third_party/libxml/src/xpath.c:13195  
#12 0x000055555e25810e in xmlXPathCompOpEval () at ../../third_party/libxml/src/xpath.c:13347                                                                                                
#13 0x000055555e25410e in xmlXPathRunEval () at ../../third_party/libxml/src/xpath.c:13927    
#14 0x000055555e253d6f in xmlXPathCompiledEvalInternal () at ../../third_party/libxml/src/xpath.c:14319                                                                                      
#15 0x000055555e253cab in xmlXPathCompiledEval () at ../../third_party/libxml/src/xpath.c:14365
#16 0x00005555607ab104 in xsltPreCompEval () at ../../third_party/libxslt/src/libxslt/transform.c:378                                                                                        
#17 xsltCopyOf () at ../../third_party/libxslt/src/libxslt/transform.c:4406                    
#18 0x00005555607a8b7f in xsltApplySequenceConstructor () at ../../third_party/libxslt/src/libxslt/transform.c:2747                                                                          
#19 0x00005555607a86f5 in xsltApplyXSLTTemplate () at ../../third_party/libxslt/src/libxslt/transform.c:3205                                                                                  
#20 0x00005555607ad03b in xsltProcessOneNode () at ../../third_party/libxslt/src/libxslt/transform.c:2108                                                                                    
#21 xsltApplyStylesheetInternal () at ../../third_party/libxslt/src/libxslt/transform.c:6020  
#22 0x00005555603e1728 in TransformToString() () at ../../third_party/blink/renderer/core/xml/xslt_processor_libxslt.cc:408                                                                  
#23 0x00005555603cedb6 in ApplyXSLTransform() () at ../../third_party/blink/renderer/core/xml/document_xslt.cc:81                                                                            
#24 0x00005555603cf346 in Invoke() () at ../../third_party/blink/renderer/core/xml/document_xslt.cc:48                                                                                        
#25 0x000055555f68f6b3 in FireEventListeners() () at ../../third_party/blink/renderer/core/dom/events/event_target.cc:919
#26 0x000055555f68eadb in FireEventListeners() () at ../../third_party/blink/renderer/core/dom/events/event_target.cc:837                                                                    
#27 0x00005555608e23c2 in DispatchEventAtBubbling() () at ../../third_party/blink/renderer/core/dom/events/event_dispatcher.cc:345
#28 0x00005555608e1cd5 in Dispatch() () at ../../third_party/blink/renderer/core/dom/events/event_dispatcher.cc:275
#29 0x00005555608e1184 in DispatchEvent() () at ../../third_party/blink/renderer/core/dom/events/event_dispatcher.cc:74
#30 0x000055556081fdfe in FinishedParsing() () at ../../third_party/blink/renderer/core/dom/document.cc:7526
#31 0x00005555603d063d in end() () at ../../third_party/blink/renderer/core/xml/parser/xml_document_parser.cc:436
#32 0x000055555ffea7be in FinishedLoading() () at ../../third_party/blink/renderer/core/loader/document_loader.cc:1235
#33 0x000055555ffea3f3 in BodyLoadingFinished() () at ../../third_party/blink/renderer/core/loader/document_loader.cc:1148

下面是windows上的POC堆栈:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
0       FLTMGR.SYS      FltDecodeParameters + 0x210c    0xfffff8054f3264cc      C:\WINDOWS\System32\drivers\FLTMGR.SYS
1       FLTMGR.SYS      FltDecodeParameters + 0x1bba    0xfffff8054f325f7a      C:\WINDOWS\System32\drivers\FLTMGR.SYS
2       FLTMGR.SYS      FltAddOpenReparseEntry + 0x560  0xfffff8054f359f40      C:\WINDOWS\System32\drivers\FLTMGR.SYS
3       ntoskrnl.exe    IofCallDriver + 0x55    0xfffff8054de113a5      C:\WINDOWS\system32\ntoskrnl.exe
4       ntoskrnl.exe    IoGetAttachedDevice + 0x54      0xfffff8054de0d964      C:\WINDOWS\system32\ntoskrnl.exe
5       ntoskrnl.exe    SeCreateAccessStateEx + 0x17fb  0xfffff8054e1ffabb      C:\WINDOWS\system32\ntoskrnl.exe
6       ntoskrnl.exe    SeCreateAccessStateEx + 0x347   0xfffff8054e1fe607      C:\WINDOWS\system32\ntoskrnl.exe
7       ntoskrnl.exe    ObReferenceObjectByHandle + 0x375e      0xfffff8054e21571e      C:\WINDOWS\system32\ntoskrnl.exe
8       ntoskrnl.exe    ObOpenObjectByNameEx + 0x1fa    0xfffff8054e20d3ea      C:\WINDOWS\system32\ntoskrnl.exe
9       ntoskrnl.exe    NtCreateFile + 0x13bb   0xfffff8054e1fd5db      C:\WINDOWS\system32\ntoskrnl.exe
10      ntoskrnl.exe    NtCreateFile + 0x79     0xfffff8054e1fc299      C:\WINDOWS\system32\ntoskrnl.exe
11      ntoskrnl.exe    setjmpex + 0x82b5       0xfffff8054e00f8f5      C:\WINDOWS\system32\ntoskrnl.exe
12      ntdll.dll       ZwCreateFile + 0x14     0x7fffe0d8da84  C:\WINDOWS\SYSTEM32\ntdll.dll
13      KERNELBASE.dll  CreateFileW + 0x5f9     0x7fffde646579  C:\WINDOWS\System32\KERNELBASE.dll
14      KERNELBASE.dll  CreateFileW + 0x66      0x7fffde645fe6  C:\WINDOWS\System32\KERNELBASE.dll
15      chrome.dll      common_stat<_stat64i32> + 0x72, D:\chromium\src\out\release\minkernel\crts\ucrt\src\appcrt\filesystem\stat.cpp(461)     0x7fff3abb79fa  D:\chromium\src\out\Release\chrome.dll
16      chrome.dll      xmlCheckFilename + 0x86, D:\chromium\src\third_party\libxml\src\xmlIO.c(703)    0x7fff3ddceeb6  D:\chromium\src\out\Release\chrome.dll
17      chrome.dll      xmlLoadExternalEntity + 0x70, D:\chromium\src\third_party\libxml\src\xmlIO.c(4006)      0x7fff3ddd0560  D:\chromium\src\out\Release\chrome.dll
18      chrome.dll      xmlCreateEntityParserCtxtInternal + 0x8c, D:\chromium\src\third_party\libxml\src\parser.c(13407)        0x7fff3d5a10ac  D:\chromium\src\out\Release\chrome.dll
19      chrome.dll      xmlParseExternalEntityPrivate + 0xfa, D:\chromium\src\third_party\libxml\src\parser.c(12442)    0x7fff3d59e8ba  D:\chromium\src\out\Release\chrome.dll
20      chrome.dll      xmlParseReference + 0x6a5, D:\chromium\src\third_party\libxml\src\parser.c(6980)        0x7fff363aec55  D:\chromium\src\out\Release\chrome.dll
21      chrome.dll      xmlParseChunk + 0x362, D:\chromium\src\third_party\libxml\src\parser.c(11878)   0x7fff3a8526f2  D:\chromium\src\out\Release\chrome.dll
22      chrome.dll      blink::XSLTProcessor::TransformToString + 0x10e5        0x7fff3f86bde5  D:\chromium\src\out\Release\chrome.dll
23      chrome.dll      xsltLoadDocument + 0x92, D:\chromium\src\third_party\libxslt\src\libxslt\documents.c(319)       0x7fff40087632  D:\chromium\src\out\Release\chrome.dll
24      chrome.dll      xsltDocumentFunctionLoadDocument + 0xd2, D:\chromium\src\third_party\libxslt\src\libxslt\functions.c(134)       0x7fff4059f8f2  D:\chromium\src\out\Release\chrome.dll
25      chrome.dll      xsltDocumentFunction + 0x377, D:\chromium\src\third_party\libxslt\src\libxslt\functions.c(333)  0x7fff4059f807  D:\chromium\src\out\Release\chrome.dll
26      chrome.dll      xmlXPathCompOpEval + 0x4fa, D:\chromium\src\third_party\libxml\src\xpath.c(13195)       0x7fff3dddd68a  D:\chromium\src\out\Release\chrome.dll
27      chrome.dll      xmlXPathCompOpEval + 0x394, D:\chromium\src\third_party\libxml\src\xpath.c(13346)       0x7fff3dddd524  D:\chromium\src\out\Release\chrome.dll
28      chrome.dll      xmlXPathRunEval + 0xbe, D:\chromium\src\third_party\libxml\src\xpath.c(13927)   0x7fff3ddd9f8e  D:\chromium\src\out\Release\chrome.dll
29      chrome.dll      xmlXPathCompiledEvalInternal + 0x14e, D:\chromium\src\third_party\libxml\src\xpath.c(14316)     0x7fff3ddd9d3e  D:\chromium\src\out\Release\chrome.dll
30      chrome.dll      xmlXPathCompiledEval + 0x2b, D:\chromium\src\third_party\libxml\src\xpath.c(14365)      0x7fff3ddd9bcb  D:\chromium\src\out\Release\chrome.dll
31      chrome.dll      xsltCopyOf + 0x96, D:\chromium\src\third_party\libxslt\src\libxslt\transform.c(4406)    0x7fff40082166  D:\chromium\src\out\Release\chrome.dll
32      chrome.dll      xsltApplySequenceConstructor + 0x297, D:\chromium\src\third_party\libxslt\src\libxslt\transform.c(2876) 0x7fff4007fd97  D:\chromium\src\out\Release\chrome.dll
33      chrome.dll      xsltApplyXSLTTemplate + 0x43c, D:\chromium\src\third_party\libxslt\src\libxslt\transform.c(3205)        0x7fff4007f87c  D:\chromium\src\out\Release\chrome.dll
34      chrome.dll      xsltProcessOneNode + 0x44, D:\chromium\src\third_party\libxslt\src\libxslt\transform.c(2104)    0x7fff4007f184  D:\chromium\src\out\Release\chrome.dll
35      chrome.dll      xsltApplyStylesheetInternal + 0x5db, D:\chromium\src\third_party\libxslt\src\libxslt\transform.c(6020)  0x7fff40083fab  D:\chromium\src\out\Release\chrome.dll
36      chrome.dll      blink::XSLTProcessor::TransformToString + 0x6fc 0x7fff3f86b3fc  D:\chromium\src\out\Release\chrome.dll
37      chrome.dll      blink::SecurityContextInit::InitDocumentPolicyFrom + 0x693      0x7fff3ec4cf33  D:\chromium\src\out\Release\chrome.dll
38      chrome.dll      blink::DocumentXSLT::SheetLoaded + 0x88 0x7fff3ec4d2b8  D:\chromium\src\out\Release\chrome.dll
39      chrome.dll      blink::ProcessingInstruction::SheetLoaded + 0x57        0x7fff3e9f3777  D:\chromium\src\out\Release\chrome.dll
40      chrome.dll      blink::ProcessingInstruction::NotifyFinished + 0x297    0x7fff3e9f3a47  D:\chromium\src\out\Release\chrome.dll
41      chrome.dll      blink::Resource::NotifyFinished + 0x121, D:\chromium\src\third_party\blink\renderer\platform\loader\fetch\resource.cc(239)      0x7fff3a76e831  D:\chromium\src\out\Release\chrome.dll
42      chrome.dll      blink::XSLStyleSheetResource::NotifyFinished + 0x9d     0x7fff3f6b3e0d  D:\chromium\src\out\Release\chrome.dll
43      chrome.dll      blink::ResourceFetcher::HandleLoaderFinish + 0x3dc, D:\chromium\src\third_party\blink\renderer\platform\loader\fetch\resource_fetcher.cc(2285)  0x7fff35bf60ec  D:\chromium\src\out\Release\chrome.dll
44      chrome.dll      blink::ResourceLoader::DidFinishLoading + 0x1cb, D:\chromium\src\third_party\blink\renderer\platform\loader\fetch\resource_loader.cc(1334)      0x7fff35bf58eb  D:\chromium\src\out\Release\chrome.dll
45      chrome.dll      blink::ResourceLoader::DidFinishLoadingBody + 0x52, D:\chromium\src\third_party\blink\renderer\platform\loader\fetch\resource_loader.cc(636)    0x7fff35bf5712  D:\chromium\src\out\Release\chrome.dll
46      chrome.dll      blink::ResponseBodyLoader::OnStateChange + 0x253, D:\chromium\src\third_party\blink\renderer\platform\loader\fetch\response_body_loader.cc(572) 0x7fff35ccbde3  D:\chromium\src\out\Release\chrome.dll
47      chrome.dll      blink::URLLoader::Context::OnCompletedRequest + 0x1c6, D:\chromium\src\third_party\blink\renderer\platform\loader\fetch\url_loader\url_loader.cc(446)   0x7fff3839f9a6  D:\chromium\src\out\Release\chrome.dll
48      chrome.dll      blink::ResourceRequestSender::OnRequestComplete + 0x222, D:\chromium\src\third_party\blink\renderer\platform\loader\fetch\url_loader\resource_request_sender.cc(569)    0x7fff35c877d2  D:\chromium\src\out\Release\chrome.dll
49      chrome.dll      blink::ThrottlingURLLoader::OnComplete + 0x4f, D:\chromium\src\third_party\blink\common\loader\throttling_url_loader.cc(928)    0x7fff37444c2f  D:\chromium\src\out\Release\chrome.dll
50      chrome.dll      network::mojom::URLLoaderClientStubDispatch::Accept + 0x31a, D:\chromium\src\out\release\gen\services\network\public\mojom\url_loader.mojom.cc(1294)       0x7fff35c3132a  D:\chromium\src\out\Release\chrome.dll
51      chrome.dll      mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept + 0xac8, D:\chromium\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc(362)       0x7fff3a2d91b8  D:\chromium\src\out\Release\chrome.dll
52      chrome.dll      mojo::internal::MultiplexRouter::Accept + 0x99f, D:\chromium\src\mojo\public\cpp\bindings\lib\multiplex_router.cc(707)  0x7fff3a16ba1f  D:\chromium\src\out\Release\chrome.dll
53      chrome.dll      mojo::MessageDispatcher::Accept + 0x296, D:\chromium\src\mojo\public\cpp\bindings\lib\message_dispatcher.cc(42) 0x7fff39c506f6  D:\chromium\src\out\Release\chrome.dll
54      chrome.dll      base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(const char *, unsigned int),base::internal::UnretainedWrapper<mojo::Connector,base::unretained_traits::MayNotDangle,0>,base::internal::UnretainedWrapper<const char,base::unretained_traits::MayNotDangle,0> >,void (unsigned int)>::Run + 0x528, D:\chromium\src\base\functional\bind_internal.h(957)      0x7fff3d29e158  D:\chromium\src\out\Release\chrome.dll
55      chrome.dll      base::internal::Invoker<base::internal::BindState<void (*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),base::RepeatingCallback<void (unsigned int)> >,void (unsigned int, const mojo::HandleSignalsState &)>::Run + 0x45, D:\chromium\src\base\functional\bind_internal.h(950)        0x7fff3a99c7a5  D:\chromium\src\out\Release\chrome.dll
56      chrome.dll      mojo::SimpleWatcher::OnHandleReady + 0x139, D:\chromium\src\mojo\public\cpp\system\simple_watcher.cc(277)       0x7fff385eaf69  D:\chromium\src\out\Release\chrome.dll
57      chrome.dll      base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork + 0x27a9, D:\chromium\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc(344)     0x7fff39b94669  D:\chromium\src\out\Release\chrome.dll
58      chrome.dll      base::MessagePumpDefault::Run + 0x88, D:\chromium\src\base\message_loop\message_pump_default.cc(41)     0x7fff39ff9798  D:\chromium\src\out\Release\chrome.dll
59      chrome.dll      base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run + 0xe0, D:\chromium\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc(645)  0x7fff35cdf400  D:\chromium\src\out\Release\chrome.dll
60      chrome.dll      base::RunLoop::Run + 0x1ca, D:\chromium\src\base\run_loop.cc(134)       0x7fff35d299da  D:\chromium\src\out\Release\chrome.dll
61      chrome.dll      content::RendererMain + 0x9d6, D:\chromium\src\content\renderer\renderer_main.cc(339)   0x7fff38872ba6  D:\chromium\src\out\Release\chrome.dll
62      chrome.dll      content::RunOtherNamedProcessTypeMain + 0x253, D:\chromium\src\content\app\content_main_runner_impl.cc(741)     0x7fff38423e03  D:\chromium\src\out\Release\chrome.dll
63      chrome.dll      content::ContentMainRunnerImpl::Run + 0x377, D:\chromium\src\content\app\content_main_runner_impl.cc(1118)      0x7fff36128e47  D:\chromium\src\out\Release\chrome.dll
64      chrome.dll      content::ContentMain + 0x4fc, D:\chromium\src\content\app\content_main.cc(342)  0x7fff3612856c  D:\chromium\src\out\Release\chrome.dll
65      chrome.dll      ChromeMain + 0x27d, D:\chromium\src\chrome\app\chrome_main.cc(187)      0x7fff3612619d  D:\chromium\src\out\Release\chrome.dll
66      chromb.exe      MainDllLoader::Launch + 0x348, D:\chromium\src\chrome\app\main_dll_loader_win.cc(164)   0x7ff621c81328  D:\chromium\src\out\Release\chromb.exe
67      chromb.exe      wWinMain + 0x6a1, D:\chromium\src\chrome\app\chrome_exe_main_win.cc(389)        0x7ff621c804c1  D:\chromium\src\out\Release\chromb.exe
68      chromb.exe      __scrt_common_main_seh + 0x106, D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl(281)        0x7ff621d59eb2  D:\chromium\src\out\Release\chromb.exe
69      KERNEL32.DLL    BaseThreadInitThunk + 0x14      0x7fffe0107614  C:\WINDOWS\System32\KERNEL32.DLL
70      ntdll.dll       RtlUserThreadStart + 0x21       0x7fffe0d426b1  C:\WINDOWS\SYSTEM32\ntdll.dll

正常来说,在linux下,外部实体加载应该被渲染器的钩子拦截

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Here's a stack where we do deny the load:
#1 0x55ff9a76beb3 base::debug::StackTrace::StackTrace() [../../base/debug/stack_trace.cc:221:12]
#2 0x55ff9dc2593b blink::ShouldAllowExternalLoad() [../../third_party/blink/renderer/core/xml/parser/xml_document_parser.cc:596:19]
#3 0x55ff9dc250df blink::OpenFunc() [../../third_party/blink/renderer/core/xml/parser/xml_document_parser.cc:626:8]
#4 0x55ff9ba9237b __xmlParserInputBufferCreateFilename [../../third_party/libxml/src/xmlIO.c:2545:13]
#5 0x55ff9ba82691 xmlNewInputFromFile [../../third_party/libxml/src/parserInternals.c:1785:11]
#6 0x55ff9ba933b5 xmlLoadExternalEntity [../../third_party/libxml/src/xmlIO.c:4021:12]
#7 0x55ff9ba5d477 xmlSAX2ResolveEntity [../../third_party/libxml/src/SAX2.c:533:11]
#8 0x55ff9ba5d145 xmlSAX2ExternalSubset [../../third_party/libxml/src/SAX2.c:398:14]
#9 0x55ff9ba7a7aa xmlParseDocument [../../third_party/libxml/src/parser.c:10567:6]
#10 0x55ff9ba7d478 xmlDoRead [../../third_party/libxml/src/parser.c:14613:5]
#11 0x55ff9dc242a9 blink::XmlDocPtrForString() [../../third_party/blink/renderer/core/xml/parser/xml_document_parser.cc:1632:10]
#12 0x55ff9dc2f2fe blink::XSLTProcessor::TransformToString() [../../third_party/blink/renderer/core/xml/xslt_processor_libxslt.cc:316:29]
#13 0x55ff9dc2eb52 blink::XSLTProcessor::transformToFragment() [../../third_party/blink/renderer/core/xml/xslt_processor.cc:149:8]
#14 0x55ff9e4e7ae0 blink::(anonymous namespace)::v8_xslt_processor::TransformToFragmentOperationCallback() [gen/third_party/blink/renderer/bindings/core/v8/v8_xslt_processor.cc:347:39]
#15 0x55ff98cb3813 Builtins_CallApiCallbackGeneric

一些建议

虽然我们没办法直接打断点,但是这里还是附上一些调试的技巧供读者参考。

首先,chrome必须要带--no-sandbox启动,否则无法访问系统中的任意文件。自带沙箱是chrome的一个硬核的防御手段。

单进程模式

chrome有一个叫做--single-process的参数,可以让所有的进程合并在一个进程里(包括渲染器等等),可能有助于调试,但意义不是非常大。

使用该终端命令可以从chrome加载开始进行调试,启动之后键入start即可(因为我们没有符号)。

1
gdb --args ./chrome --single-process --no-sandbox ../CVE-2023-4357-Chrome-LFI-main/xss.html

进程附加:

在chrome中,按下shift+esc可以快速查看所有标签页的进程id号,可以使用gdb附加到对应标签页的进程上。如图。
alt text

运行时trace:

有这么一个方法

1
2
3
4
5
6
./chrome --trace-startup='browser,renderer,startup,loading,blink,v8,net,sequence_manager' \
  --trace-startup-duration=8 \
  --trace-startup-file=/tmp/ntp_trace.json \
  --user-data-dir=/tmp/ntp_prof --no-first-run --disable-extensions \
  --no-sandbox \
  <path_to_poc>

用这些参数启动可以在tmp目录下生成一份ntp_trace.json文件,在https://ui.perfetto.dev这个网站中打开可以可视化地看到浏览器都做了什么。当然这个没有办法跟踪的很细,不过可能有助于理解加载的过程。

alt text

最后,如果需要符号的话,建议是手动编译对应版本的chromium,这样就能将断点打在libxslt或者libxml的内部了。

CATALOG
  1. 1. 背景信息和漏洞本质
    1. 1.1. 从修复补丁入手
  2. 2. 调试
    1. 2.1. 一些建议
      1. 2.1.1. 单进程模式
      2. 2.1.2. 进程附加:
      3. 2.1.3. 运行时trace:
Total : 77
2025
2024
2023
wp linux pwn awd awdp heap chop go rust protobuf kernel llvm web exploit vm shellcode sandbox fuzzing kdump ROP hvv ctf forensics algorithm cpp stl notes templates data-structure leetcode practice android reverse mobile arch installation btrfs nvidia tutorial top-chunk canary csapp lab rop stack bit-operation memory-management cve windows privilege-escalation ntlm browser chromium file-read kernel-pwn misc fastbin double-free overlapping house-of-force house-of-orange unsorted-bin small-bin malloc-hook large-bin fsop tcache house-of-apple io-file orw summary ida plugin development smep smap programming ownership closure smart-pointer vulnerability code-audit risc ai llm 0day pe anti-reverse ebpf markdown test assembly seccomp bpf docker ubuntu pwndbg gdb troubleshooting afl syzkaller security cfi frontend css javascript github iot embedded chatdbg qemu compiler jump-table crypto base64 aes io-function firmware penetration keypatch slab
pwn 竞赛与实战 PWN技术 算法与基础 AWD-AWDP 其他PWN 逆向工程 竞赛复盘 开发与工具 算法学习 堆利用 用户态PWN CSAPP 系统安全 Web安全 内核PWN 综合逆向 环境配置 工具开发 编译器与LLVM 编程语言 其他 Windows安全 Windows逆向 浏览器漏洞 Fuzzing技术 前端开发 项目开发 嵌入式安全 实战记录 学习笔记 漏洞挖掘