Embedded Chromium Everywhere: A Security Look at MSEdgeWebView2 and CDP

Thank you very much for coming. We're going to be taking a little look at Chromium. You'll perhaps know what Chromium is. You'll find out in a moment if you don't. And uh its use in some embedded desktop applications. Okay. Now, uh, in the Carolini, in the Carolinian period, it was very fashionable to build a big expansive house like this and to have around the back a trademan's entrance. In other words, an entrance that was part of the design. It was deliberate. It was supposed to be there, but there was a social implicit security contract that would be unguarded. The right people would use it and the wrong people wouldn't. Okay, with that in mind, let's

play a quick game. We're going to play a quick game to start. This is called Is It Chromium? Uh, it's a great game. Play it in the car with the kids and I'm going to show you an image and you're going to tell me whether that application is Chrome. Okay, you'll get the hang of this. You're going to shout yes or no. It's a quick fire round. Google Chrome, is it Chromium? There's a clue in the name. >> Yes, >> it is. That's very good. Microsoft Edge, is that Chromium? >> It certainly is. Opera browser. Is that Chromium? >> Yes, >> it is. Since 2013, all of these browsers, Arc, Brave, the Bounty, are they Chromium? Yes,

>> they certainly are. >> Well done. You're getting the hang of this Discord desktop. Is it Chromium? >> Yeah, >> it is Chromium. >> Steam on the desktop. Is it Chromium? >> Yes, >> it certainly is. Adobe Acrobat, Spotify, Notion Desktop. Are they Chromium? >> They certainly are. Photoshop. Is it Chromium? >> Yes. >> Nope. I'm just trying to >> Okay. V VS Code and Git Kraken. Two developer tools. Are they Chromium? Are they Chromium? >> No, >> they are Chromium. Intelligj. Another developer tool. Is it Chromium? >> Come on. >> No. >> No, >> it's not. It's very good. It may as well be, but it happens not to be. >> Slack, new Outlook. Oolk.exe. Teams. Are

they Chromium? >> I think they certainly are. >> Blender. Is it Chromium? >> No. >> No. the Windows 11 widgets stupid sidebar thingy with the >> Yes, of course it's loads millions and millions of kiosks all around the world. Are they running Chromium? >> Yes, >> they certainly are. And finally, I kid you not, parts of the NASA mission control systems. Are they chromium? >> Yes. >> Yeah, >> they are. They are. So, as a rule of thumb, is it chromium? Probably yes. Might be the answer. Okay, there we We've got this thing called Chrome. It's used all over the place apparently. We've just discovered what actually is it. Well, effectively on a system you're

going to have a set of binaries like this. It looks very similar no matter what operating system you're on. Some of the important ones are highlighted, but effectively there is this whopping great DLL and this uh this um exit or without the exit file extensions on a Unix based system. And you can run that up and you'll get a window like that and you'll probably see a window like that every single day. But what we want to know is how to take a window like that and embed it into a desktop application. Maybe just a part of our application, a little bit of the Chromium rendering engine that we're going to use for part of our

application. And there are three ways to do that. If you're unlucky enough to be a Java developer, you might use that one. C++.NET, you might use that one there. But this is by far the most popular. It's something called Electron. And that is for the NodeJS platform. a really really easy um just use type out some JavaScript like you would for a website that's running with an interpreter called node. Okay, so let's have a little look. What is this node stuff? What is this electron stuff even? Just slightly catch my breath. I have a basic HTML file here. Look, it's a basic HTML file and it says what a lovely HTML file. And then I have this main.js script. Okay.

And this is a little bit of electron bootstrapper script. It's a sort of minimum, you know, working example. And what I can do is one a special command that looks like this up here. I can get out the other end an electron applicator. Oh, I see my screen resolution changed because of this this nice projector. Okay. I can get out a lovely little application like this. And look, it's our HTML file. It renders. It kind of works. And that file there is 209 megabytes. It's 209 megabytes. In fact, the entire copy of that application is now 330 megs. I that's that's you know that's ridiculously inefficient. So what we've effectively shown is that electron is a

way to take a HTML file that might be a matter of kilobytes. It's actually 810 bytes and turn it into something in this case literally 2 million times the size. Plus it eats up 260 megs of memory. It doesn't update itself. It introduces a host of security vulnerabilities as I'm perhaps about to demonstrate. Um, and what's more, we don't just have one of these on our system. We went through all those examples of Chromium at the beginning. We have so many copies of these and they're all sitting next to each other and it's it's too much to cope with. You know, you can't have that many copies of Chromium on a system all just sitting there. Many of them running

in the background because they, you know, they think that RAM is just abundantly available. So, Microsoft tried to tackle this problem a few years ago and said, "We can't be having this. What we're going to do, we're going to ship one copy of Chromium with the operating system and you can then embed that into your applications and we will deal with updating that copy of Chromium and we will make sure that it is vaguely secure, vaguely secure, emphasis in the vaguely and uh you can then use that as as you wish and not have to worry about distributing your own copies of this web browser. Okay, there we go. So, we've got some different forms of Chromium.

It's quite an amorphous product. We've got the traditional Chrome. We've got loads of different browsers. We've got an Electron version of Chrome. We've got this thing called MSH Webview 2. But whichever version of Chrome you've got, you're going to specify when on instantiation of the process image some important command line arguments. You might set the window size. You might do incognito mode. You might set a proxy server, etc. But there's one highlighted in blue. Look, and that is not a coincidence because there is a there's an argument called remote debugging port that is exactly as ominous as it sounds. Let's see. Let's see what it does. When we instantiate a chromium image, we're going to get a a big mummy

chromium process. And the big mummy chromium process is going to have lots of babies very very quickly in a matter of seconds. Maybe up to about, you know, 30 babies if you've got lots of tabs open. And she's going to give each baby a type equals argument and a user data. Here, these are some more command line arguments. But we can see here the big money Chromium process has been given a remote debugging port. Okay, that's very important. We'd say remote debugging port equals and then some port number. It's a TCP port. And if we do that, we can curl an endpoint on that port called JSON. I'm piping it into jq here just to get some

syntax highlighting. And we get in the JSON response this thing called a websocket debugger. Okay, very nice. A websocket debugger. What is that? If we then take a simple web socket client, so a little bit like Tnet or SSH, this is just a textbased back and forth, and we say node package execute wizad, that's just the name of my websocket client, C connect to that endpoint. We take we took a chromium image, we told it open a debugging port, we got a page address on that debugging port, we connected to that debugging port. Okay, you with me so far? If we do this, we can specify if we like a series of commands to do anything on

the browser. We actually have more power over the browser through this interface than we would with a keyboard and mouse being able to click various things on the web. We can do anything we want. Helpfully the methods this is this is a syntax called JSON RPC remote procedure call. The methods are very helpfully named. It's not the sort of thing you'd get if mathematicians designed it and you just get single letter variable names like R and J. page.capture screenshot browser.close runtime.evaluate. This is very important. This allows us to run arbitrary JavaScript within any page in the browser. Okay, bit of wiring up then. We've got these chromium things. We've got these remote debugging things. We've got these

CDP commands. CDP, by the way, the Chrome DevTools protocol. In other words, that that websockets based uh interface to control the browser headlessly remotely. There is an environment variable for our old friend MS Webview 2 called webview 2 additional browser arguments and this is meant for setting you know something like a proxy server something innocent and innocuous like that but we can slightly abuse this mechanism. We can inject into these command line arguments remote debugging port. Okay, this might this might be good. This might be useful. So um strategic integration of web view 2 into holistic. So the systematic I'm we're not I'm not doing we're going to do a live demo. Uh and the live demo the

live demo is going to involve uh the following thing. What is it going to involve? It is going to involve firstly a copy of Microsoft Word. Here is Microsoft Word. I have a document open. Uh I have this thing uh which is a random Microsoft Word addin. There are thousands of these available. Uh all of these uh uh addins these days just use a web view 2 embedded browser pane. Let's prove this. Let's prove this. If I go to proc and we have a look. That's a bit blurry, isn't it? We can see that winward.exe has had a baby called MSH U2. That's had some babies which are all of its premium processes uh like the

renderers, the utilities, the network utilities, etc. But if we look at that top MSH U2 process, it has some command line args. Let's open them up. We're going to look at this command line. Let's go to the end. And we can see, oh my goodness, look amongst all of the other innocuous command line arguments, it's just setting the language. We have managed to inject our special command line argument. What is this going to allow us to do? What is this going to allow us to do? I think you might be able to work out the answer. Right, let us curl. Therefore, DM me let us curl the uh endpoint. So, we said 955. Okay. Curl. In other words, HTTP get uh local

host my machine at 955 JSON. Oh dear, that would have Yeah. Uh let's have some syntax. Okay. Let's take our websocket debugger. Let's node package execute wiscat- C that address. because it's a live demo and it's being watched. It's going to be excruciatingly slow. There we go. Okay, very good. We seem to have a connection and let's see what we could do. So, you're innocently using Word and as I say, runtime.evaluate arbitrary JavaScript injection. What could that enable us to do? We could craft some JavaScript to manipulate the DOM. Do something like do something like this. We could pop up uh well, my icon's not working because I don't There we go. Uh, we could pop up uh we could we could

we have literally done a fishing attack on Microsoft Word. Okay, we've done a fishing attack on Microsoft Word. We could do some very nasty things. We could try to steal money, etc. Um, maybe we could actually do something a little bit slightly more entertaining. Could we come along and say there that's nice? I mean, that's definitely more useful than site while you write. I don't know. I just want to stare at that whilst I'm doing my coursework. I think that's great. Um, however, that's just manipulating the DOM. We can open up any browser and do this. What is special about these web view 2 uh embedded chromium implementations? The answer is they have something called native bridge methods.

In other words, a mechanism for the embedded browser for the embedded browser to talk back to the host application. In this case, it's a C++ application. It's it's it's Winword.ac. It's Microsoft Word. Okay, let's see what what sort of native bridge methods we might be dealing with. Okay, look as this young blue peter, here's one I prepared earlier and this is a simple example which is going to do return body.ext. Okay, probably get get an idea of what that does. Well, look in my document I had this bit of text here and then I managed to say return body.ext and I managed to get my amazing bit of text there. Okay, it's the same bit of text. We just exfiltrated some

text. Okay, if we can read text, what else can we do? Maybe we can take some text. Uh, no, thank you. Maybe we can take some text and inject it into the document. Let's have a little look. If I do that, uh, uh, we don't get that because we can reconnect. There we go. Okay, let's have a look. Have I got the right thing on my clipboard? Perhaps not. Return by value. True. Uh injection successful. Maybe. Oh, look. That wasn't there before. Okay, we can read and write to the document. That's a bit interesting. Can we do anything slightly more surreptitious, slightly more penicious than that? Okay, I have an expression here. Here's another one I

prepared earlier. This expression says, let's have a look. What does it say? It says uh office.get context. Now this is my university account. I am I don't you know particularly think the university will mind exposing their tenant ID but you get the idea. You can do some reasonably penicious things because of these native bridge uh native bridge methods in many cases completely surreptitiously clandestine under hood undetectably. And if you do this, if you do this um then of course because the desktop application, the native one is a standard um not memory safe application, there might be buffer overflow exploits, etc. This opens up a whole world of potential RC vulnerabilities. Okay. Uh does that mean

we've got six minutes left? Is that right? I think so. Possibly. Yeah. Yeah. Let's go for one last bit in the live demo, which is you remember that electron thing from Malia? Here's our electron thing. Let's go to that directory there. Win unpacked. Oh, there it is. Let's say electron test remote debugging port. Let's give it triple 3 this time. You can put any number you want up to 65536. And we have our application. Okay. But if we have a look, let's have a look. Has it had some babies? It's had some babies. It's had remote debugging port in the CLAs. Oh, that's hilarious. And um and it's had some babies. But let's do the same thing on this Electron

application. Let's see if it works in approximately the same way. Let's take another command prompt. You can never have too many command prompts. And let's say uh curl. Let's take our websocket debugger. You're getting the hang of this by this point potentially. And let's say node package executes whizcat- c to that. There we go. We're connected. And let's see if we've got some more. Here's one I prepared earlier. We've got some more here. One I prepared earlier. That's Well, it's not supposed to be a tongue twister. And let's put one of those in there. And oh my goodness, we have a message book. We could do I mean, what's the classic rce example is to

instantiate calc, isn't it? Let's see if that works. Calc, right, there we go. We have just run an arbitrary command on the system instantiated as a subprocess of a completely trusted signed binary something like Slack teams steam whatever you want deployed by your enterprise for your laptop usage won't be picked up by the EDR system because of course you trust Slack don't you and we have managed to use it for rce on the system let's do one more let's do one more if we do an exec sync tworing then we will in fact get back the string result of a command here I'm going to execute a who am I? I'm going to execute a who am I and oh my goodness, we get

the result of the who am I which I can prove to you is the same result in a second. Okay, what does this mean? What does this mean? We only had 20 minutes, but look, there is a world of vulnerabilities exposed by this thing called Chromium and embedding it into applications, including all sorts of ways to abuse the SSO mechanism. There is a mechanism in Windows to pass through the entra ID PRT the primary refresh token in other words the way of authenticating with Microsoft Azure entra ID through to the MS web view2 instance so that they can use it on your behalf to you know conveniently reach out to office and do telemetry and

all sorts of things really really dangerous there are other um parts of native bridge functions uh which are also interesting uh there is a way of doing this from a remote machine not just a remote application but I can have a different computer and still hook into a remote electron-based application. Um and if we had more time then you know this would be very fun but um we don't. So what we're going to say is so what well look you only humans you're not going to remember all of this but if you're just taking away one thing from this talk then it's it's this thing CDP the Chrome DevTools protocol isn't is shipped in production to be a

fully featured unauthenticated way of controlling the browser headlessly remotely silently surreptitiously um you know dangerously Okay. The the vulnerability here is not Chromium. It's not the OS per se. It is the bridge between the two. We have spent 20 years trying to get the the web out of the desktop. We have finally gotten there by making the desktop into a browser. We have we have gone back to square one. We have a a new set of problems and um I hope that perhaps you've gleaned what some of those are from our little talk today. Okay. So, the trademan's entrance at the back of the house, what's the lesson? Just because there is a trademan's entrance and it's

convenient doesn't mean that it should be left open. Okay. And with that, I think we're going to we're going to call it an end of the talk, but we've got like two minutes. So, uh, questions or anything for any of those. Oh my goodness. Hello. >> Hi. I love your energy, Ben. Honestly, I could listen to you read the phone book. >> So, I understood the middle bit most. No, sorry. The first bit, the end bit. I've got the gist. I didn't understand the middle bit, but it didn't matter cuz I loved you. >> The fishing in my words. There you need to know. Dangerous. >> Exactly. Yeah. Um, and I've not really got a question other to say if you

honestly you were great. And if you were doing theater, I don't mean No, seriously. I I love theater. at the Edinburgh Fringe later this year. >> I can see you in that because I think almost think you wasted doing this and you should put more. >> Thank you very much. >> Yeah, I second the energy bit. Just want to just wanted to ask like in terms of terms of your findings uh obviously reporting vulnerabilities etc. Do you take this to someone and you kind of kind put the kaosh on my question a little bit at the end because you said it's a bridge. I thought you might go to someone like Project Zero or something

like that to talk about this, but are they the wrong people? Um, in terms of responsible disclosure, or is this just a known thing that they all know? It's there's an extent to which it's an unspoken secret. I'm not the first person in the universe to have discovered that you can inject this particular command line argument into this environment to get this result. The problem with it um is that it is for the for the most part undefensible. This is a debugging feature that's supposed to be there for developers. It's supposed to allow them in. And uh there is one group policy setting you can set to block opening the dev tools window in some instances, not for electron, but in

some certain subset of criteria for SSH web um you given the situation and the world as it is etc. There are massive glaring open vulnerabilities like this and everyone's using these tools. Yes, millions a little bit, right? >> I I mean, look, personally, I rule of thumb, if it's an Electron application or an MSH2 upgrade, there will also be a browser version. You can get Teams and Slack on it, etc. Just use it in the browser. You don't need to integrate it with your desktop is my personal view. Um, okay. Like one big caveat is you need to already be on the machine. This is not a mechanism of getting onto the machine, but once you're onto the not

mechanism of doing process elevation necessarily. I mean you can obviously you can start to run your system commands and do your RC to help you with that but it is a very very dangerous and penicious and silent way of potentially causing a lot of damage. So yeah maybe maybe we should start reporting it to project zero etc. But uh yeah, I it's so widely pervaded. It's it's not really containable. But anyways, >> it's one of those intended features like a number of products. No, no, that's as we designed it. We're not going to do anything with it. >> Yeah. >> And in some ways screwed if people know about it. >> Yes. Which they don't by time now.

>> Okay. >> Monsters. >> How we doing? Are we question? That's time. >> That's time. It's got 30 seconds. One more question. >> No. >> Why do you think Microsoft doesn't just ship an MSFU runtime that doesn't have this enabled for 99% of desktops? >> I have no idea because it would be a really good idea. There there are some niche use cases where this is really useful for some developers some of the time. But in when you're debugging when you're creating an application doesn't get my grand. >> They certainly don't. So I I made an example implementation of the web U2 com interface to work out how this works and yeah you can do all the debugging you

need from there. You don't you don't need this command line argument. It shouldn't really be there. I don't know. I maybe we should go and find someone from Microsoft in and work that one out. But there you go. Okay. Thanks very much and I think