About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

XSS to RCE in the Opera Browser- 629

Renwa - OperaPosted 4 Years Ago
  • In the Opera browser, My Flow is a shared space between your computer and phone. This allows for the sharing of links, images, videos and many other things. Seems like a good attach surface!
  • web.flow.opera.com is the domain that loads this data. This appears to be a plain HTML on the page, which can be viewed with the browser dev tools. The page interacts with the browser extensions, but it was not apparent in the browser toolbox.
  • Why is this? Opera can add hidden browser extensions, which is really interesting! After using the flag –show-component-extension-options, the hidden extensions are shown, which shows Opera Touch Background.
  • This is a special browser extension that has lots of permissions. Finding XSS would essentially be game over, if it was found. When looking at the page. they found the code below: 
    const html = e.dataTransfer.getData('text/html');
const src = html.match(//);
if (src && src[1]) {
   const parser = document.createElement("span");
   parser.innerHTML = src[1];
}
  • This code is present when dragging an image. The vulnerability is the user controllable input going directly into the DOM with the call to innerHTML. If an attacker can control this input, they can get code execution in the context of the page.
  • The dataTransfer object on something being dragged does NOT have to be the location of an image. In fact, it can be anything. As a result, setting dataTransfer to <img src=x onerror=alert(1)> pop an alert pop, resulting in XSS.
  • To make this more believable, the author creates a POC, using some social engineering, to demonstrate the impact. When you start dragging the image, the page is redirected to the flow site. If you let go of the drag, the vulnerable code is ran and XSS is triggered. Can we go further though?
  • The Opera Touch Background extension had big time set of permissions. Most importantly, it had the SEND_FILE and OPEN_FILE permissions. Using this, we can write to a file with an executable script then open a will, which will execute it on demand.
  • I really appreciated the convincing POC, with the drag & drop into the redirect. Then, besides the XSS, they took this bug a step further to pop a shell. The impact of this bug is awesome and could have been used for some real damage.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed