Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The article begins with discussions on how communication can be done from isolated contexts in browsers. Between webpages, there is postMessage. From content scripts, there is sendMessage. For background scripts, there is native messaging for communicating with apps running the background with an extension.

They wanted to find an application where they could go from web page to RCE. So, they wrote a query to look through all extensions for usage of native messaging, over 250K users and used content scripts. This narrowed it down to 200ish where they started looking.

Smart Card extensions were a common within this category. Many companies want PKI cards to be used, but since they are not natively supported by browsers they're in extensions. One of these was Extension B with over 2 million users.

The extension is injected into every page, as you'd expect. The content script listens for messages then passes them to the background script, which simply passes it to the native application. Even though there is a source check within the event listener, the origin is stored within the postMessage data itself instead of the actual origin. Yikes! Now we're getting somewhere!

The native application accepts data from the initial postMessage that we made to the extension. On the GetCertLib action, the field PKCS11Lib is directly concatenated with a user controlled field to make a DLL path. By forcing a download in the browser then triggering this flow, it's trivial to get code execution within the context of the native application.

An awesome post on browser security protections and a terrible blunder that led to RCE. Great find in such a popular app!