oss-sec mailing list archives

Browser-mediated attacks on WebDriver servers

From: Gabriel Corona <gabriel.corona () enst-bretagne fr>
Date: Mon, 7 Feb 2022 22:04:17 +0100

Several browser-mediated attacks on WebDriver servers:

* GeckoDriver CSRF vulnerability (CVE-2020-15660);
* GeckoDriver DNS-rebinding vulnerability (CVE-2021-4138);

* Chromedriver localhost-bound same-site/cross-origin request forgeryvulnerability;

* Selenium server/Grid CSRF vulnerability;
* Selenium server/Grid DNS-rebinding vulnerability.

In all cases this could be used to trigger arbitrary code execution.

GeckoDriver CSRF vulnerability
==============================

This is CVE-2020-15660. Fixed in GeckoDriver v0.27.0.

GeckoDriver DNS-rebinding vulnerability
=======================================

This is CVE-2021-4138. Fixed in GeckoDriver v0.30.0.

Chromedriver localhost-bound same-site/cross-origin request forgery
===================================================================

A XSS on another localhost-bound service could be exploited to trigger
arbitrary code execution.

Reference: https://bugs.chromium.org/p/chromium/issues/detail?id=1100097

Selenium server/Grid CSRF vulnerability
=======================================

A CVE-ID has been requested from MITRE.

This is fixed in SeleniumServer 4.

Selenium server/Grid DNS-rebinding vulnerability
====================================

A CVE-ID has been requested from MITRE.

This is fixed in SeleniumServer 4.

Current thread:

Browser-mediated attacks on WebDriver servers Gabriel Corona (Feb 07)