Opera’s Zero-Day RCE: It’s not a soap opera, but it sure has drama. Grab your popcorn and secure your browser!
歌剧的零日RCE:这不是一个肥皂剧,但它肯定有戏剧。拿上你的爆米花,保护你的浏览器!
In a recent investigation by the Guardio Labs research team, a significant zero-day vulnerability surfaced within the popular Opera web browser family. This flaw, allowing attackers to execute malicious files on Windows or MacOS systems (cross-platform) through a specially crafted third-party browser extension, brings attention not just to Opera’s susceptibility but also highlights broader challenges in contemporary browser security.
在Guardio Labs研究团队最近的一项调查中,流行的Opera Web浏览器家族中出现了一个重大的零日漏洞。这一漏洞允许攻击者通过特制的第三方浏览器扩展在Windows或MacOS系统(跨平台)上执行恶意文件,不仅引起了人们对Opera敏感性的关注,还凸显了当代浏览器安全面临的更广泛挑战。
Upon promptly disclosing this finding to Opera’s team, their swift response underscores the critical collaboration between security researchers and browser developers in safeguarding users. This article delves into the intricacies of the research process, the identified vulnerability, and the ongoing efforts to fortify digital experiences against the constantly evolving landscape of cyber threats.
在将这一发现及时披露给Opera团队后,他们的迅速反应凸显了安全研究人员和浏览器开发人员在保护用户方面的重要合作。本文深入探讨了研究过程的复杂性,已识别的漏洞,以及针对不断变化的网络威胁环境加强数字体验的持续努力。
Technical Deep Dive: Opera “MyFlaw” Vulnerability
技术深度剖析:Opera“MyFlaw”漏洞
My Flow and the Opera Touch Background Extension
My Flow和Opera Touch背景扩展
Moving from the realm of Opera’s My Flow to the discovery of the RCE Flaw, the My Flow feature captures attention for its smooth operation in facilitating note-taking and file sharing between desktop and mobile devices via the Opera browser. The process involves a simple QR code scan using Opera’s mobile app, opening up a chat-style interface that effortlessly handles the exchange of messages and files.
从Opera的My Flow到RCE缺陷的发现,My Flow功能因其通过Opera浏览器在桌面和移动的设备之间方便笔记和文件共享的流畅操作而备受关注。这个过程包括使用Opera的移动的应用程序进行简单的QR码扫描,打开一个聊天风格的界面,轻松处理消息和文件的交换。
Yet, from a cybersecurity standpoint, a notable concern arises. The chat-like interface introduces an “OPEN” link to any message containing an attached file, allowing users to directly execute the file from the web interface. This suggests a potential interaction between the webpage context and the system API, enabling the execution of a file from the file system outside the usual browser constraints, devoid of a sandbox and limits.
然而,从网络安全的角度来看,一个值得注意的问题出现了。类似聊天的界面引入了一个“打开”链接到任何包含附件的消息,允许用户直接从Web界面执行文件。这表明网页上下文和系统API之间的潜在交互,使得能够在通常的浏览器约束之外执行来自文件系统的文件,而没有沙箱和限制。
Opera, like many contemporary browsers, is constructed on the Chromium open-source project, sharing core code, capabilities, and design. To distinguish itself and offer unique features, Opera leverages Chromium’s built-in customization options, including built-in browser extensions.
Opera与许多当代浏览器一样,是基于Chromium开源项目构建的,共享核心代码、功能和设计。为了使自己与众不同并提供独特的功能,Opera利用了Chromium的内置自定义选项,包括内置的浏览器扩展。
These built-in extensions augment functionality and introduce new features. However, a crucial distinction lies in the fact that built-in extensions come pre-installed, cannot be disabled or controlled, and may possess broader capabilities and permissions.
这些内置的扩展增强了功能并引入了新特性。然而,一个关键的区别在于,内置扩展是预先安装的,不能被禁用或控制,并且可能拥有更广泛的功能和权限。
For those curious about these extensions, a peek into their workings is feasible through the browser’s dev tools. You can explore the inner workings of your browser by navigating to opera://inspect and selecting “Extensions.”
对于那些对这些扩展感兴趣的人来说,通过浏览器的开发工具可以窥探它们的工作原理。您可以通过导航到opera://inspect并选择“扩展”来探索浏览器的内部工作原理。“
The built-in “Opera Touch Background” extension from the Opera Inspect Window
Opera Inspect窗口中内置的“Opera Touch Background”扩展
The unique My Flow feature relies on the Opera Touch Background extension to handle all its internal operations. Like any typical extension, it incorporates a manifest file that outlines permissions and capabilities. Notably, the file includes an “externally_connectable” declaration:
独特的My Flow功能依赖于Opera Touch Background扩展来处理其所有内部操作。像任何典型的扩展一样,它包含一个清单文件,概述了权限和功能。值得注意的是,该文件包含一个“externally_connectable”声明:
"externally_connectable": {
"matches": [
"https://*.flow.opera.com/*",
"https://*.flow.op-test.net/*"
]
}
This declaration signifies that only web resources within the specified domains can communicate with the extension. The interaction occurs through the chrome.runtime.connect API, providing the webpage with access to all the declared handlers within this robust extension. The below were special capabilities discovered for MyFlow:
此声明表示只有指定域中的Web资源才能与扩展通信。交互通过Chrome.runtime.connect API进行,为网页提供对这个健壮扩展中所有声明的处理程序的访问。以下是为MyFlow发现的特殊功能:
port.onMessage.addListener(data => {
switch (data.type) {
case 'GET_PAIRING_TOKEN':
wrapResponse(this.getPairingToken(data.value), data);
break;
case 'GET_DEVICES':
wrapResponse(this.getConnectedDevices(true), data);
break;
...
case 'OPEN_FILE':
wrapResponse(this.openFile(data.localFileName), data);
break;
case 'SEND_FILE':
wrapResponse(
this.sendFile(
data.name, data.content, data.file_type, data.preview,
data.messageId, data),
data);
break;
case 'DOWNLOAD_FILE':
wrapResponse(
this.downloadFile(
data.url, data.name, data.iv, data.messageId, data),
data);
break;
...
}
});
The Guardio Labs research team investigated the OPEN_FILE code and discovered that it eventually accesses a native private API inside the browser’s core object: opr.operaTouchPrivate.openFile(String filename).
Guardio Labs研究团队调查了OPEN_FILE代码,发现它最终访问浏览器核心对象内部的本地私有API:opr.operaTouchPrivate.openFile(字符串文件名)。
Similarly, the DOWNLOAD_FILE function creates a file at a specified place on the local operating system, particularly under the ~/Downloads/MyFlow/ directory.
类似地,DOWNLOAD_FILE函数在本地操作系统的指定位置创建一个文件,特别是在~/Downloads/MyFlow/目录下。
Opera Browser My Flow Architecture
Opera浏览器My Flow架构
Possible Attack Scenarios
可能的攻击方案
When considering possible scenarios, the group anticipates a substantial attack vector: uncovering a way to execute certain handlers might allow for the download and execution of any payload without needing user involvement on the targeted machine. This reveals a powerful attack vector with significant harmful potential.
在考虑可能的场景时,该小组预计会有一个实质性的攻击向量:发现一种执行某些处理程序的方法可能允许下载和执行任何有效负载,而无需用户参与目标机器。这揭示了一个强大的攻击媒介,具有显著的有害潜力。
To tackle this challenge, the initial goal was to identify a pathway for running controlled code within the declared domains under opera.com. This exploration involves navigating the complexities of invoking handlers, setting the stage for a nuanced and potentially impactful series of actions.
为了应对这一挑战,最初的目标是确定一种在opera.com下声明的域中运行受控代码的途径。这种探索涉及导航调用处理程序的复杂性,为一系列微妙且可能具有影响力的操作奠定基础。
The Guardio Labs research team highlights that DOWNLOAD_FILE and OPEN_FILE handlers are only accessible to resources within Opera-controlled domains, serving as a security safeguard. Cross-site scripting (XSS) was initially identified as a potential exploitation method, but since the webpage is fortified against XSS vulnerabilities, alternative tactics must be investigated.
Guardio Labs研究团队强调,DOWNLOAD_FILE和OPEN_FILE处理程序只能访问Opera控制域中的资源,作为安全保障。跨站脚本(XSS)最初被确定为一种潜在的利用方法,但由于该网页已针对XSS漏洞进行了强化,因此必须研究替代策略。
Injecting Code Via Extension Manipulation
通过扩展操作注入代码
The team envisions a more direct approach involving a typical extension with general permissions, comparable to widely adopted tools like ad blockers. Once integrated into the browser, such an extension could potentially inject code into designated URLs, notably pages originating from flow.opera.com.
该团队设想了一种更直接的方法,涉及具有一般权限的典型扩展,类似于广泛采用的广告拦截器等工具。一旦集成到浏览器中,这样的扩展可能会将代码注入指定的URL,特别是来自flow.opera.com的页面。
The team tried a variety of ways to inject code into the pages, as shown below:
该团队尝试了多种方法将代码注入页面,如下所示:
-
Calling chrome.tabs.executeScript using the extension API, which will inject and execute a script. Opera’s security policy, which prevents extensions from running code on their Store pages, thwarted this attempt.
使用扩展API调用Chrome.tabs.executeScript,这将注入并执行一个脚本。Opera的安全策略阻止扩展在其商店页面上运行代码,阻止了这种尝试。 -
An alternative approach is using WebRequest or DeclarativeNetRequest APIs to manipulate requests on a targeted domain. The method involves altering a page’s request for a specific resource, such as a JavaScript file.
另一种方法是使用WebRequest或DeclarativeNetRequest API来操作目标域上的请求。该方法涉及更改页面对特定资源(如JavaScript文件)的请求。
Bypassing CSP/SRI in an Unexpected Manner
CSP/SRI以意想不到的方式运行
During the analysis carried out by the group on the *.flow.opera.com domain family, a critical infrastructure for various Opera products, potential vulnerabilities have been unearthed. Through the use of urlscan.io, a security tool, this group delved into the domain’s history and uncovered persistent HTML pages.
在该小组对 *. flow.opera.com域家族(各种Opera产品的关键基础设施)进行分析期间,发现了潜在的漏洞。通过使用安全工具urlscan.io,该小组深入研究了域名的历史记录,并发现了持久的HTML页面。
A historical version of a landing page, dating back over two years, lacked crucial security measures now present in the current version. These missing safeguards included the CSP meta tag, and contains a script tag without any integrity check (no SRI).
一个登陆页面的历史版本,可以追溯到两年多前,缺乏目前版本中存在的关键安全措施。这些缺失的保护措施包括CSP Meta标记,并包含一个没有任何完整性检查的脚本标记(没有SRI)。
URLscan Results — urlscan.io [Image Courtesy: Guardio Labs]
URL扫描结果-urlscan.io [图片来源:Guardio Labs]
The external group emphasized the significance of this finding by stating:
外部小组强调了这一调查结果的重要性,指出:
“This is exactly what an attacker needs — an unsafe, forgotten, vulnerable to code injection asset, and most importantly — has access to (very) high permission native browser API!”
“这正是攻击者所需要的-一个不安全的,被遗忘的,容易受到代码注入的资产,最重要的是-可以访问(非常)高权限的本机浏览器API!“
Simulating “My Flow” to Send Malicious Payload
模拟“我的流量”发送恶意载荷
The team utilized the extension itself to simulate the part of sending the payload using the My Flow application, as they both use the same endpoint under flow.opera.com. They took the following steps:
该团队利用扩展本身来模拟使用My Flow应用程序发送有效负载的部分,因为它们都使用flow.opera.com下的相同端点。他们采取了以下步骤:
1. Create a Fake Device Instance:
1.创建假设备实例:
-
Make a request to flow.opera.com/v1/devices using the extension, including fabricated information about a mobile device and a public key for encrypting the payload.
使用扩展名向flow.opera.com/v1/devices发出请求,包括有关移动终端的伪造信息和用于加密有效载荷的公钥。 -
Upon completion, you will be provided with a DEVICE ID and TOKEN.
完成后,您将获得一个设备ID和TOKEN。
2. Request Pairing Token:
2.请求配对令牌:
-
Utilize the GET_PAIRING_TOKEN handler to request a pairing token from the browser.
利用GET_PAIRING_TOKEN处理程序从浏览器请求配对令牌。 -
Acquire a QR code value for the purpose of pairing.
获取QR码值以进行配对。
3. Connect and Pair Devices:
3.连接和配对设备:
-
Send data to https://flow.opera.com/v1/connect-devices to connect the fake device and pair it with the browser.
将数据发送到https://flow.opera.com/v1/connect-devices以连接假冒设备并将其与浏览器配对。
4. Encryption of Malicious Payload:
4.恶意负载的加密:
-
Encrypt the malicious payload using the keys exchanged earlier during device creation.
使用之前在设备创建过程中交换的密钥对恶意负载进行加密。
5. Generate the malicious file:
5.生成恶意文件:
-
Utilize the SEND_FILE handler that the browser uses for file transfers from mobile devices.
利用浏览器用于从移动的设备传输文件的SEND_FILE处理程序。 -
Utilize the interesting side effect of this handler: it saves a copy of the sent file in the same folder where MyFlow downloads files.
利用这个处理程序的有趣副作用:它将发送文件的副本保存在MyFlow下载文件的同一个文件夹中。
6. Execution of the malicious file:
6.恶意文件的执行:
-
Trigger the OPEN_FILE call to execute the file from the local storage of the infected browser’s operating system.
触发OPEN_FILE调用以从受感染浏览器的操作系统的本地存储中执行文件。
Exploiting SEND_FILE functionality
利用SEND_FILE功能
Final Challenge: Transitioning from Zero to One Click
最后的挑战:从零到一键的转变
The research team discovered a last stumbling block in their process: a permissions barrier for the FILE_OPEN function, which required a certain context for the operation to occur. Their investigation of the My Flow API found that initiating the OPEN_FILE action requires a click event, resulting in a shift from a zero-click to a one-click attack scenario. Despite its lessened strength, the researchers discovered that a one-click assault was remarkably simple to design, needing just a user click anywhere on the screen.
研究团队发现了他们过程中的最后一个绊脚石:FILE_OPEN函数的权限障碍,它需要特定的上下文才能进行操作。他们对My Flow API的调查发现,启动OPEN_FILE操作需要一个单击事件,导致攻击场景从零次单击转变为一次单击。尽管它的强度有所减弱,但研究人员发现,一键攻击的设计非常简单,只需要用户点击屏幕上的任何地方。
The team took advantage of the fact that users had previously installed the extension, disguised as an ad blocker, by using the familiar “Thank you for installing” screen that usually comes with new extensions. They injected code into this tab and modified it to seem like a Thank you page, encouraging the user to click wherever to perform the desired action. This simple but efficient strategy demonstrated the team’s capacity to navigate and overcome obstacles throughout their research activities.
该团队利用了用户之前安装了该扩展的事实,伪装成广告拦截器,通过使用熟悉的“感谢您安装”屏幕,通常与新的扩展。他们将代码注入到这个选项卡中,并将其修改为看起来像一个感谢页面,鼓励用户在任何地方单击以执行所需的操作。这种简单而有效的策略证明了该团队在整个研究活动中导航和克服障碍的能力。
MyFlaw Exploit: A Complete POC Attack Flow on Opera
MyFlaw Exploit:Opera上的完整POC攻击流程
Let’s take a look at a thorough Proof of Concept (POC) attack sequence to see how an attacker may exploit the newly found vulnerability in Opera. This vulnerability has the potential to install malicious payloads on a large number of users’ computers worldwide.
让我们来看看一个完整的概念验证(POC)攻击序列,看看攻击者如何利用Opera中新发现的漏洞。此漏洞有可能在全球大量用户的计算机上安装恶意负载。
-
Extension Installation (Disguised Entry)
延伸安装(伪装入口)-
An attacker distributes a browser extension masquerading as an AdBlocker (or similar “useful” software), enticing widespread daily installations.
攻击者分发伪装成AdBlocker(或类似的“有用”软件)的浏览器扩展,诱使广泛的日常安装。 -
The extension gains the necessary permissions, specifically DeclerativeNetRequest, which allows malicious payloads to be substituted for script requests.
该扩展获得了必要的权限,特别是DeclerativeNetRequest,它允许用恶意有效负载替换脚本请求。
-
-
Handler Trigger (Automatic Trigger)
自动触发器(Automatic Trigger)-
After being installed, the OnInstalled handler initiates the opening of a vulnerable page from flow.opera.com in a newly created tab.
安装后,OnInstalled处理程序会在新创建的选项卡中启动从flow.opera.com打开易受攻击的页面。
-
-
Code Injection 代码注入
-
Crafted JavaScript code is injected into the opened page, subtly altering its appearance and allowing for interaction with the Opera Touch Extension.
精心制作的JavaScript代码被注入到打开的页面中,巧妙地改变了它的外观,并允许与Opera Touch Extension进行交互。
-
-
Simulated Mobile Device Pairing
模拟移动终端配对-
The injected code simulates a mobile device pairing with the browser and transfers a malicious file to the system.
注入的代码模拟与浏览器配对的移动终端,并将恶意文件传输到系统。
-
-
Code Execution 代码执行
-
The user is prompted to click, which initiates the execution of the transferred malicious file and ends the attack flow in less than a second.
提示用户点击,这将启动传输的恶意文件的执行,并在不到一秒的时间内结束攻击流程。
-
Opera Exploit Workflow Opera漏洞利用工作流程
The exploit, as demonstrated in the proof-of-concept run, achieves rapid file execution on the target operating system (Windows or MacOS) in seconds, highlighting its alarming malicious potential.
正如概念验证运行中所展示的那样,该漏洞可以在几秒钟内在目标操作系统(Windows或MacOS)上快速执行文件,突出了其令人担忧的恶意潜力。
Conclusion 结论
In conclusion, the MyFlaw vulnerability served as a stark reminder of the ever-evolving landscape of cyber threats. It exposed a critical security flaw within a popular browser extension, potentially impacting millions of users worldwide. However, this discovery also exemplifies the power of responsible security research and collaboration.
总而言之,MyFlaw漏洞提醒我们,网络威胁的格局正在不断演变。它暴露了一个流行的浏览器扩展中的关键安全漏洞,可能影响全球数百万用户。然而,这一发现也证明了负责任的安全研究和合作的力量。
The rapid disclosure of Gaurdio Labs’ findings with Opera’s security team and their prompt reaction to providing a fix highlight the value of open communication and quick action in minimizing vulnerabilities. It reinforces the need for ongoing collaboration between security researchers and browser developers to fortify digital experiences against emerging security risks. As users, developers, and security professionals, staying vigilant and proactive in addressing such vulnerabilities is crucial for maintaining a secure online environment.
Gaurdio Labs与Opera安全团队的调查结果的迅速披露以及他们对提供修复程序的迅速反应,突出了开放式沟通和快速行动在最大限度地减少漏洞方面的价值。它强调了安全研究人员和浏览器开发人员之间持续合作的必要性,以加强数字体验,抵御新出现的安全风险。作为用户、开发人员和安全专业人员,保持警惕并积极主动地解决此类漏洞对于维护安全的在线环境至关重要。
References: 参考文献:
原文始发于darkrelay:Opera Browser Zero-Day RCE Vulnerability on Cross-Platforms
转载请注明:Opera Browser Zero-Day RCE Vulnerability on Cross-Platforms | CTF导航
相关文章
