April 16, 2019 at 12:27Vulnerability in AdBlock and uBlock filters allows arbitrary code to be executed on the user side
Under a number of conditions, the filter option
Here is how the problem function is described in the AdBlock patch itself:
The vulnerability lasted for almost 9 months and was found only now.
The source blogger explains that the option is
An attack can take place if the website uses
That is, to carry out an attack, three conditions must be met:
It would seem that there are a lot of conditions, and CSP is far from a novelty in the world of web development. However, the main threat to the vulnerability found is not how it works, but how it spreads.
Since the AdBlock, AdBlock Plus, and uBlock filter systems are vulnerable, the way to “infect” the final victim is extremely simple - through the auto-update system of filters. It is no secret that a huge part of users use ready-made filters, but do not configure them themselves. In this case, the author of the filter package can roll out a malicious update, carry out an attack, and then “roll” the package, thereby “sweeping tracks”.
The easiest way to protect yourself from the mentioned vulnerability is to switch to uBlock Origin. This ad blocker does not support the function
Otherwise, at your own risk, you should wait for the next AdBlock update. Literally a few hours after the publication on the armin.dev blog, this blog entry appeared in the official blocker blog with a reaction to the vulnerability
In it, the AdBlock administration assures that although the vulnerability is specific, they are extremely careful about the security of their audience and in the next update the function
Also, according to the assurances of the administration, they check all the filter lists and double-checked them now. Based on the results of the audit, the administration reports that none of the existing filter lists described the method of attacking the user contained. Given that only about four hours have elapsed between the time the original post was posted and the response to the AdBlock blog, we’ll only rejoice at the responsiveness of the blocker team.
At the same time, removing a function
$rewriteintroduced in AdBlock, AdBlock Plus and uBlock with the update 3.2 dated July 17, 2018 allows arbitrary code to be executed on the web page displayed to the user, the armin.dev blog reports . Here is how the problem function is described in the AdBlock patch itself:
This patch implements a new filter option $rewrite, which allows authors of filter lists to prevent the display (mainly video) of advertisements that previously could not be blocked on a number of websites.The described vulnerability affects all three of the mentioned ad blockers, whose total audience exceeds 100 million users. You can use it to attack any web service, including but not limited to, for example, any of Google’s resources. The problem is widespread, that is, an attack with the same success can be carried out on any popular browser and does not depend on its version. The vulnerability lasted for almost 9 months and was found only now.
Essence of the attack
The source blogger explains that the option is
$rewriteused by AdBlock and other blockers mentioned to avoid tracking the user and blocking ads by redirecting requests from the visited web page. For example, $rewriteto redirect or handle queries such as SCRIPT, SUBDOCUMENT, OBJECTand OBJECT_SUBREQUEST. An attack can take place if the website uses
XMLHttpRequestor Fetchto download and execute fragments (snippets) of code, while simultaneously allowing you to make arbitrary requests. That is, to carry out an attack, three conditions must be met:
- The web page should load the JS string using
XMLHttpRequestorFetchand execute the returned code. - The web page should not use Content Security Policy validation directives and should not verify the final URL before executing the downloaded code.
- The source of the extracted code must support a server-side redirect or contain arbitrary user-generated content.
It would seem that there are a lot of conditions, and CSP is far from a novelty in the world of web development. However, the main threat to the vulnerability found is not how it works, but how it spreads.
Since the AdBlock, AdBlock Plus, and uBlock filter systems are vulnerable, the way to “infect” the final victim is extremely simple - through the auto-update system of filters. It is no secret that a huge part of users use ready-made filters, but do not configure them themselves. In this case, the author of the filter package can roll out a malicious update, carry out an attack, and then “roll” the package, thereby “sweeping tracks”.
Ways to fight
The easiest way to protect yourself from the mentioned vulnerability is to switch to uBlock Origin. This ad blocker does not support the function
$rewrite, that is, it is impossible to implement the described attack through it. Otherwise, at your own risk, you should wait for the next AdBlock update. Literally a few hours after the publication on the armin.dev blog, this blog entry appeared in the official blocker blog with a reaction to the vulnerability
$rewrite. In it, the AdBlock administration assures that although the vulnerability is specific, they are extremely careful about the security of their audience and in the next update the function
$rewritewill be cut out from AdBlock.Also, according to the assurances of the administration, they check all the filter lists and double-checked them now. Based on the results of the audit, the administration reports that none of the existing filter lists described the method of attacking the user contained. Given that only about four hours have elapsed between the time the original post was posted and the response to the AdBlock blog, we’ll only rejoice at the responsiveness of the blocker team.
At the same time, removing a function
$rewritefrom the project is a step backward for AbBlock, since it was originally created to combat pop-up video ads. Now she will return for the sake of universal security. In addition, the efficiency with which it was decided to completely remove$rewrite from the project shows that even though the attack is specific, the consequences of its mass conduct look too eerie.