Full Report
The article begins with discussions on how communication can be done from isolated contexts in browsers. Between webpages, there is postMessage. From content scripts, there is sendMessage. For background scripts, there is native messaging for communicating with apps running the background with an extension. They wanted to find an application where they could go from web page to RCE. So, they wrote a query to look through all extensions for usage of native messaging, over 250K users and used content scripts. This narrowed it down to 200ish where they started looking. Smart Card extensions were a common within this category. Many companies want PKI cards to be used, but since they are not natively supported by browsers they're in extensions. One of these was Extension B with over 2 million users. The extension is injected into every page, as you'd expect. The content script listens for messages then passes them to the background script, which simply passes it to the native application. Even though there is a source check within the event listener, the origin is stored within the postMessage data itself instead of the actual origin. Yikes! Now we're getting somewhere! The native application accepts data from the initial postMessage that we made to the extension. On the GetCertLib action, the field PKCS11Lib is directly concatenated with a user controlled field to make a DLL path. By forcing a download in the browser then triggering this flow, it's trivial to get code execution within the context of the native application. An awesome post on browser security protections and a terrible blunder that led to RCE. Great find in such a popular app!
Analysis Summary
# Vulnerability: Universal Remote Code Execution via Browser Extension Messaging Chain
## CVE Details
- **CVE ID**: Not Assigned (The researcher opted for coordinated disclosure, but the vendor has not released a patch or public identifier as of the publication date).
- **CVSS Score**: Estimated 8.8 (High) - [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]
- **CWE**: CWE-345 (Insufficient Verification of Data Authenticity), CWE-427 (Untrusted Search Path)
## Affected Systems
- **Products**: "Extension B" (A popular Smart Card/PKI browser extension).
- **Versions**: All versions prior to July 2024.
- **Configurations**: Systems with both the browser extension and the corresponding native messaging host application installed.
## Vulnerability Description
The vulnerability arises from a broken "trust chain" between a web page, an extension content script, a background script, and a native application.
1. **Improper Origin Validation**: The extension's content script listens for `window.postMessage` events. While it contains a source check, it relies on a user-controlled field within the message data (`src: 'user_page.js'`) rather than the cryptographically secure `event.origin` property provided by the browser.
2. **Message Relaying**: The content script passes this untrusted data to the background script via `chrome.runtime.sendMessage()`, which in turn passes it directly to a native application via `chrome.runtime.sendNativeMessage()`.
3. **Path Traversal/DLL Injection**: The native application processes an action called `GetCertLib`. It takes a user-provided string from the `PKCS11Lib` field and concatenates it to a path used in `LoadPkcs11Library` (a DLL loading function) without sanitization.
## Exploitation
- **Status**: PoC Available (Private/Censored in report).
- **Complexity**: Low.
- **Attack Vector**: Network (Web-based). An attacker only needs the victim to visit a malicious website.
An attacker can chain these flaws by:
1. Forcing the browser to download a malicious DLL into the user's default downloads folder.
2. Sending a `postMessage` to the extension content script with a path traversal string (e.g., `..\\..\\..\\Downloads\\payload.dll`) in the `PKCS11Lib` field.
3. The native application then loads and executes the attacker's DLL, Escaping the browser sandbox.
## Impact
- **Confidentiality**: High (Full access to local system data).
- **Integrity**: High (Ability to execute arbitrary code).
- **Availability**: High (Ability to crash or take over the system).
## Remediation
### Patches
- **No official patch currently available.** The researcher noted that the vendor had not patched the issue at the time of the write-up.
### Workarounds
- **Uninstall Affect Extension**: Remove "Extension B" (Smart Card/PKI related extensions) if not strictly necessary.
- **Disable Native Messaging**: Restrict the ability of extensions to communicate with native hosts via enterprise policies if the feature is not required for business operations.
## Detection
- **Indicators of Compromise**:
- Unexpected DLL files appearing in the `Downloads` directory.
- Browser processes spawning suspicious child processes or loading DLLs from user-writable directories.
- **Detection Methods**:
- Monitor `manifest.json` files for extensions using `nativeMessaging` and broad `matches: ["http://*/*", "https://*/*"]` permissions.
- Audit JavaScript content scripts for `window.addEventListener('message', ...)` that do not validate `event.origin`.
## References
- hxxps://spaceraccoon[.]dev/universal-code-execution-browser-extensions/
- hxxps://developer[.]chrome[.]com/docs/extensions/develop/concepts/messaging
- hxxps://owasp[.]org/www-chapter-london/assets/slides/OWASPLondon_PostMessage_Security_in_Chrome_Extensions.pdf