search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.94k stars 2.35k forks source link

[Security] Brave's usage of elevation service should check it was called from a trusted source #39029

Closed bsclifton closed 3 months ago

bsclifton commented 5 months ago

Test plan

See plan in https://github.com/brave/brave-core/pull/24900

Description

When Brave (or any Chromium browser) is installed with admin privileges (ex: it's a system install), the elevation service is registered (ex: with services.msc). Introduced in https://github.com/brave/brave-core/pull/20754, there is a Brave-specific method InstallVPNServices https://github.com/brave/brave-core/blob/1bc3b9e011c17e16a7aba895cac7e845b87ba5dc/chromium_src/chrome/elevation_service/elevator.cc#L30-L51

This is only used on Windows and it'll install the services required to either connect securely connect to IKEv2 or WireGuard.

This method should implement a check to see where it was called from and only allow trusted sources. For example, we can ensure that it was called from %programfiles%\BraveSoftware\Brave-Browser\Application\brave.exe.

bridiver commented 5 months ago

This can be done with app commands instead so we don't have to modify the elevation service at all

bsclifton commented 4 months ago

Thanks to wfh on Chromium Slack for helping suggest this

I believe it would involve this code: https://source.chromium.org/chromium/chromium/src/+/main:chrome/installer/util/app_command.h

bsclifton commented 4 months ago

Created https://github.com/brave/brave-browser/issues/39953 to track doing App Commands.

Will check out the trusted paths as-is

LaurenWags commented 3 months ago

Requires 1.69.137 or higher to test 👍🏻

stephendonner commented 3 months ago

Verification PASSED using

Brave | 1.69.137 Chromium: 127.0.6533.100 (Official Build) beta (64-bit)
-- | --
Revision | 40b6ccbd1eb76c8f575e83de8ad81c4349d3f32a
OS | Windows 10 Version 22H2 (Build 19045.4717)

Case 1: Before fix - PASSED

### Steps: 1. installed `1.69.128` with Admin privs 2. launched Brave 3. verified no `Vpn` service is installed 4. ran the proof-of-concept executable from `cmd` 5. confirmed (services) are installed: `pElevator->InstallVPNServices(): Successfully installed VPNServices. \n Invoking Vpn Installation is successful.` 6. opened `account.bravesoftware.com` in a new tab 7. logged into Brave VPN using `issue39029@mailinator.com` 8. clicked `Refresh` button 9. did NOT connect to VPN 10. confirmed (services) still shown 11. connected and disconnected VPN successfully step 1 | step 3 | steps 4 - 5 | step 10 | step 11 -------|--------|--------|--------|---------- ![image](https://github.com/user-attachments/assets/6a49b334-75e6-43b4-96b7-63dbd398adb7) | ![image](https://github.com/user-attachments/assets/5bfb3981-8061-4187-9040-e982d1825eb7) | ![image](https://github.com/user-attachments/assets/8da15198-4eff-4cef-874d-35daf4463eb2) | ![image](https://github.com/user-attachments/assets/4abc9e12-c04e-499a-b0f9-d925bc3e3e52) | ![image](https://github.com/user-attachments/assets/4c4d162e-3091-4d5d-b9f1-95e7799b2cf9)

Case 2: After fix - PASSED

### Steps: 1. installed `1.69.136` with Admin privs 2. launched Brave 3. verified no `Vpn` service is installed 4. ran the proof-of-concept executable from `cmd` 5. confirmed services are installed: `pElevator->InstallVPNServices(): Successfully installed VPNServices. \n Invoking Vpn Installation is successful.` 6. opened `account.bravesoftware.com` in a new tab 7. logged into Brave VPN using `issue39029@mailinator.com` 8. clicked `Refresh VPN` button 9. did NOT connect to VPN 10. confirmed {`BraveVpn, BraveElevationService, etc...`} services are NOT shown 11. connected and disconnected VPN successfully step 1 | step 3 | steps 4-5 | step 8 | step 10 | step 11 -------|---------|----------|---------|----------|--------- ![image](https://github.com/user-attachments/assets/6ae7716d-d43a-4921-9870-fd712c80e005) | ![image](https://github.com/user-attachments/assets/a409a63b-df3a-44bc-bd83-ec93665c9682) | ![image](https://github.com/user-attachments/assets/64cb9a34-0a2b-48c6-b156-355608941434) | ![image](https://github.com/user-attachments/assets/96c60666-1ea0-4059-9125-551235ae7ae4) | ![image](https://github.com/user-attachments/assets/e6d35992-1ab2-4c8e-a2e1-861914d01c9c) | ![image](https://github.com/user-attachments/assets/f0d9ea53-36a4-4207-b517-c58ac8b92501)
stephendonner commented 3 months ago

Verified on Win10-x64; if we have time this cycle, we'll do another Win11-x64 check and can mark it as QA Pass - Win64 then. If we run out of time, we'll use this verification and mark it.

cc @MadhaviSeelam

MadhaviSeelam commented 3 months ago

Verification PASSED using

Brave | 1.69.137 Chromium: 127.0.6533.100 (Official Build) beta (64-bit)
-- | --
Revision | 40b6ccbd1eb76c8f575e83de8ad81c4349d3f32a
OS | Windows 11 Version 23H2 (Build 22631.3958)

Before fix:

  1. Installed 1.69.128 with admin privileges
  2. launched Brave
  3. verified BraveBetaElevationService service is installed in the services.msc
  4. run the proof of concept executable from cmd.exe for Beta
  5. confirmed proof of concept reported back
    • pElevator->InstallVPNServices(): Successfully installed VPNServices.
    • Invoking Vpn Installation is successful.
  6. opened services.msc and confirmed BraveBetaVpnService and Brave Beta Vpn Wireguard Service (BraveBetaVpnWireguardService) are installed
  7. opened account.bravesoftware.com in a new tab
  8. logged into Brave VPN using brave1vpn@mailinator.com
  9. clicked Refresh button
  10. did not connect to VPN
  11. opened services.msc and verified BraveNightlyVpnService and Brave Nightly Vpn Wireguard Service (BraveNightlyVpnWireguardService) still shown
  12. connected and disconnected VPN successfully
step 1 step 3 step 4-5 step 6 step 10 step 11
image 2024-08-07_11h39_10 image image image image

After fix:

  1. Installed 1.69.137 with admin privileges
  2. launched Brave
  3. verified BraveBetaElevationService service is installed
  4. ran the proof-of-concept executable from cmd.exe for Beta
  5. confirmed proof of concept reported back pElevator->InstallVPNServices(): Failed failed PROTECTION_PATH_VALIDATION Invoking Vpn Installation has failed.
  6. opened services.msc and confirmed no BraveBetaVpnServices are installed
  7. opened account.bravesoftware.com in a new tab
  8. logged into Brave VPN using brave1vpn@mailinator.com
  9. clicked Refresh button
  10. did not connect to VPN
  11. confirmed below services are not installed -BraveNightlyVpnService and Brave Nightly Vpn Wireguard Service (BraveNightlyVpnWireguardService)
  12. clicked VPN button
  13. confirmed below services are installed -BraveNightlyVpnService and Brave Nightly Vpn Wireguard Service (BraveNightlyVpnWireguardService)
  14. Connected/disconnected VPN successfully
step 1 step 3 step 4-5 step 6 step 9-10 step 13 step 14
image image image image image image image