CVE-2020-7645 in chrome-launcher
Summary
by MITRE
All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/03/2020
The chrome-launcher package represents a Node.js utility designed to facilitate the launching of Google Chrome or Chromium browsers programmatically within automated environments. This tool operates by creating a temporary user data directory and launching the browser with specific configurations to support testing and automation workflows. The vulnerability arises from the package's improper handling of environment variables during the browser launch process, specifically when the $HOME environment variable is manipulated by an attacker. This flaw exists across all versions of the chrome-launcher package and affects Linux operating systems where the tool is commonly deployed.
The technical implementation of this vulnerability stems from the package's reliance on the $HOME environment variable to determine the location of temporary directories and user configuration files. When an attacker controls this environment variable, they can manipulate the path where chrome-launcher creates temporary files and directories. The package executes shell commands without proper sanitization of the $HOME variable, allowing for command injection attacks. This occurs because the tool constructs shell commands that incorporate the $HOME path without validating or escaping special characters that could alter the intended command execution flow. The vulnerability specifically manifests when chrome-launcher attempts to create a temporary user data directory in the location specified by $HOME, which can be manipulated to include malicious commands.
The operational impact of this vulnerability extends beyond simple command execution, as it provides attackers with potential access to the underlying system where the chrome-launcher is deployed. An attacker could leverage this vulnerability to execute arbitrary code with the privileges of the user running the chrome-launcher process, potentially leading to privilege escalation, data exfiltration, or system compromise. This is particularly concerning in automated testing environments, continuous integration pipelines, or server environments where chrome-launcher is used to launch browsers for web scraping, automated testing, or headless browsing operations. The vulnerability can be exploited in scenarios where an attacker has the ability to control environment variables, such as in containerized environments, CI/CD pipelines, or applications that allow user input to influence execution contexts. According to CWE-78, this vulnerability maps to improper neutralization of special elements used in shell commands, a well-documented weakness in command injection attacks that aligns with the ATT&CK technique T1059.001 for command and script interpreter.
Mitigation strategies for this vulnerability require immediate patching of the chrome-launcher package to version 0.14.2 or later, which includes proper sanitization of environment variables and secure handling of temporary directory creation. Organizations should implement strict environment variable validation in their deployment pipelines and avoid allowing untrusted input to influence the $HOME variable. Security measures should include monitoring for unauthorized environment variable modifications and implementing least privilege principles for processes that execute chrome-launcher. System administrators should also consider using containerization with restricted environment variables and implementing runtime protections that prevent command injection attacks. The fix typically involves ensuring that all paths used in shell commands are properly escaped or validated before execution, preventing attackers from injecting malicious commands through manipulated environment variables. Additionally, organizations should conduct security reviews of their automation pipelines to identify other potential injection points and implement comprehensive environment variable sanitization across all tools that may be vulnerable to similar attacks.