A vulnerability in Lastpass was discovered and "fixed" this past weekend. I will discuss this in class. The extension/plugin version with the fix is 4.1.45. In Chrome, you can find the version of the extension in Settings. Click Extensions in the left navigator bar and scroll down to find Lastpass. The version is listed next to the name.
Original Tweet
The original tweet was posted on March 25 (https://twitter.com/taviso/status/845717082717114368). Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way.
Publication in Press:
From: https://arstechnica.com/security/2017/03/potent-lastpass-exploit-underscores-the-dark-side-of-password-managers/
Developers of the widely used LastPass password manager are scrambling to fix a serious vulnerability that makes it possible for malicious websites to steal user passcodes and in some cases execute malicious code on computers running the program.
The flaw, which affects the latest version of the LastPass browser extension, was briefly described on Saturday by Tavis Ormandy, a researcher with Google's Project Zero vulnerability reporting team. When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn't present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault. Ormandy said he developed a proof-of-concept exploit and sent it to LastPass officials. Developers now have three months to patch the hole before Project Zero discloses technical details.
"It will take a long time to fix this properly," Ormandy said. "It's a major architectural problem. They have 90 days, no need to scramble!"
In a blog post published Monday, LastPass officials thanked Ormandy for alerting them to the bug and said a fix was on the way. In the meantime, they said LastPass users should protect themselves by entering stored passwords into websites using the LastPass vault as a launch pad for opening websites and entering passwords and enabling two-factor authentication on sites that offer it.
"This attack is unique and highly sophisticated," the blog post warned. "We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete."
https://arstechnica.com/security/2017/03/potent-lastpass-exploit-underscores-the-dark-side-of-password-managers/ The vulnerability is the third one Ormandy has privately reported to LastPass this month. Last week, he described bare-bones details of two different flaws found in LastPass extensions for multiple browsers. LastPass developers quickly implemented changes on their server that made the flaws harder to exploit and released patches two days later.
The string of vulnerabilities underscores the tradeoff that comes from use of any password manager. Storing dozens, hundreds, or even thousands of passwords in a single place poses catastrophic risks should that resource be breached. Exploits become easier by convenience features that, for example, store encrypted password vaults in Internet-accessible locations or automatically paste passwords into websites. Ultimately, password managers likely make the average user safer because they make it possible to use long, complex, and unique passwords. And that protects people in the event that their password is exposed in website breaches, which are much more common than real-world password manager exploits.
Most users will be updated automatically. Please ensure you are running the latest version (4.1.44 or higher), which can always be downloaded at https://www.lastpass.com/.
Now that the issue is resolved, we want to provide a postmortem to our community on what the report entailed and how we are building a better, more secure LastPass going forward. Please note, due to the nature of the vulnerability, this postmortem is highly technical.
Overview
This client-side vulnerability in the LastPass browser extensions was caused by the way LastPass behaves in “isolated worlds”. As noted in the report, “an isolated world is a JavaScript execution environment that shares the same DOM (Document Object Model) as other worlds, but things like variables and functions are not shared. Without isolated worlds, unprivileged pages could interfere with higher privileged scripts, and make them do whatever they want.” In the case of those running the binary version of the extension, which is less than 10% of LastPass users, it could have been manipulated to allow remote code execution (RCE) on the extension.
“Isolated worlds” and Trusted Pages
A major part of how LastPass works is content scripts. Content scripts are snippets of JavaScript that we inject into 3rd-party sites in order to capture login information and perform autofill. These are a major part of what makes LastPass so useful. In turn, the content script communicates with the rest of the extension to do the heavy lifting: decrypting saved sites, updating the vault, and so on. The rest of the extension is completely inaccessible to 3rd-party sites and should not be able to influence the content scripts.
The content scripts are ordinarily set apart from the rest of the site through the concept of “isolated worlds”. Isolated worlds means our content scripts can read the DOM contents of a 3rd party site, but not any internal JavaScript functions or variables. The reverse also applies: The 3rd party site cannot call any functions or access any variables in our content scripts. The separation is supposed to keep both sides safer from external manipulation.
In some cases, these variables can influence the logic of the content script. It is difficult to inject arbitrary values into JavaScript using this technique. But in a particularly clever move, the report demonstrated that arbitrary strings could be injected, and one of these was enough to trick the extension into thinking it was executing on lastpass.com. By doing so, an attacker could manipulate the LastPass extension into revealing the stored data of that user, and launch arbitrary executables in the case of the binary version.
Our assumption was that we could trust the global scope in which our content scripts run, and this proved not to be the case. Consequently, there were many locations in our JavaScript where it was possible for externally-supplied, global variables to override a default value.
Fixing the issue
Immediately after we received the full report, a cross-functional response team investigated and validated the findings. It was clear that addressing the issues would require a significant change to our browser extensions. This was not a simple patch, and required a thoughtful, thorough fix. Those changes then needed to be applied and tested across all affected extensions.
To fix, we addressed variable handling and added the Proxy object to the outer scope of the content script, acting as a “sandbox” to prevent externally-supplied window properties from being read within the content script. To further mitigate RCE, we put in place restrictions on the types of attachments that the extension can launch and limited the available extension APIs.
We worked directly with Google’s Project Zero to verify that our fixes were comprehensive. Once the fix was ready for all affected extensions, we were able to have them reviewed by all stores and pushed to users very quickly. We want to thank our partners at Apple, Google, Microsoft, Mozilla, Opera, Yandex and others who fast-tracked our extension review and release.
Looking ahead
We strongly urge other extension developers to look for this pattern in their code and ensure they are not vulnerable.
We’re in the business of password management; security is and always will be our top priority. We greatly appreciate the work of the security community who challenges our product and works with our teams to ensure we’re delivering a secure service for our users. As a market leader, we get the best of the best testing LastPass and in return our software and our customers benefit.
In an effort to maintain the highest level of security, we will continue to partner with white-hat security researchers and provide incentives to participate in our bug bounty program (https://bugcrowd.com/lastpass). Stay tuned for more to come on this.
Thank you,
The LastPass Team
Developers of the widely used LastPass password manager are scrambling to fix a serious vulnerability that makes it possible for malicious websites to steal user passcodes and in some cases execute malicious code on computers running the program.
The flaw, which affects the latest version of the LastPass browser extension, was briefly described on Saturday by Tavis Ormandy, a researcher with Google's Project Zero vulnerability reporting team. When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn't present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault. Ormandy said he developed a proof-of-concept exploit and sent it to LastPass officials. Developers now have three months to patch the hole before Project Zero discloses technical details.
"It will take a long time to fix this properly," Ormandy said. "It's a major architectural problem. They have 90 days, no need to scramble!"
In a blog post published Monday, LastPass officials thanked Ormandy for alerting them to the bug and said a fix was on the way. In the meantime, they said LastPass users should protect themselves by entering stored passwords into websites using the LastPass vault as a launch pad for opening websites and entering passwords and enabling two-factor authentication on sites that offer it.
"This attack is unique and highly sophisticated," the blog post warned. "We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete."
https://arstechnica.com/security/2017/03/potent-lastpass-exploit-underscores-the-dark-side-of-password-managers/ The vulnerability is the third one Ormandy has privately reported to LastPass this month. Last week, he described bare-bones details of two different flaws found in LastPass extensions for multiple browsers. LastPass developers quickly implemented changes on their server that made the flaws harder to exploit and released patches two days later.
The string of vulnerabilities underscores the tradeoff that comes from use of any password manager. Storing dozens, hundreds, or even thousands of passwords in a single place poses catastrophic risks should that resource be breached. Exploits become easier by convenience features that, for example, store encrypted password vaults in Internet-accessible locations or automatically paste passwords into websites. Ultimately, password managers likely make the average user safer because they make it possible to use long, complex, and unique passwords. And that protects people in the event that their password is exposed in website breaches, which are much more common than real-world password manager exploits.
Lastpass Response:
On Saturday, March 25th, security researcher Tavis Ormandy from Google’s Project Zero reported a security finding related to the LastPass browser extensions. In the last 24 hours, we’ve released an update which we believe fixes the reported vulnerability in all browsers and have verified this with Tavis himself.Most users will be updated automatically. Please ensure you are running the latest version (4.1.44 or higher), which can always be downloaded at https://www.lastpass.com/.
Now that the issue is resolved, we want to provide a postmortem to our community on what the report entailed and how we are building a better, more secure LastPass going forward. Please note, due to the nature of the vulnerability, this postmortem is highly technical.
Overview
- This was a client-side vulnerability in the LastPass browser extensions and could be exploited to steal data and manipulate the LastPass extension
- Exploiting required luring a user to a malicious website (through phishing, spearphishing, or other attack), or to a trusted website running malicious adware
- This requires a per-user attack that must be executed through the user’s local browser
- All extensions have now been updated with the fix and submitted to the extension stores
- Our mobile apps for Android, iOS, and Windows Phones were not affected
- All of your LastPass browser extensions should be updated to version 4.1.44 or higher
- Check the LastPass extension icon > More options > About LastPass for your version number
- Most users should be updated automatically, but the latest versions can always be downloaded at https://www.lastpass.com/
- Uninstalling is not required to download the updated version
This client-side vulnerability in the LastPass browser extensions was caused by the way LastPass behaves in “isolated worlds”. As noted in the report, “an isolated world is a JavaScript execution environment that shares the same DOM (Document Object Model) as other worlds, but things like variables and functions are not shared. Without isolated worlds, unprivileged pages could interfere with higher privileged scripts, and make them do whatever they want.” In the case of those running the binary version of the extension, which is less than 10% of LastPass users, it could have been manipulated to allow remote code execution (RCE) on the extension.
“Isolated worlds” and Trusted Pages
A major part of how LastPass works is content scripts. Content scripts are snippets of JavaScript that we inject into 3rd-party sites in order to capture login information and perform autofill. These are a major part of what makes LastPass so useful. In turn, the content script communicates with the rest of the extension to do the heavy lifting: decrypting saved sites, updating the vault, and so on. The rest of the extension is completely inaccessible to 3rd-party sites and should not be able to influence the content scripts.
The content scripts are ordinarily set apart from the rest of the site through the concept of “isolated worlds”. Isolated worlds means our content scripts can read the DOM contents of a 3rd party site, but not any internal JavaScript functions or variables. The reverse also applies: The 3rd party site cannot call any functions or access any variables in our content scripts. The separation is supposed to keep both sides safer from external manipulation.
In some cases, these variables can influence the logic of the content script. It is difficult to inject arbitrary values into JavaScript using this technique. But in a particularly clever move, the report demonstrated that arbitrary strings could be injected, and one of these was enough to trick the extension into thinking it was executing on lastpass.com. By doing so, an attacker could manipulate the LastPass extension into revealing the stored data of that user, and launch arbitrary executables in the case of the binary version.
Our assumption was that we could trust the global scope in which our content scripts run, and this proved not to be the case. Consequently, there were many locations in our JavaScript where it was possible for externally-supplied, global variables to override a default value.
Fixing the issue
Immediately after we received the full report, a cross-functional response team investigated and validated the findings. It was clear that addressing the issues would require a significant change to our browser extensions. This was not a simple patch, and required a thoughtful, thorough fix. Those changes then needed to be applied and tested across all affected extensions.
To fix, we addressed variable handling and added the Proxy object to the outer scope of the content script, acting as a “sandbox” to prevent externally-supplied window properties from being read within the content script. To further mitigate RCE, we put in place restrictions on the types of attachments that the extension can launch and limited the available extension APIs.
We worked directly with Google’s Project Zero to verify that our fixes were comprehensive. Once the fix was ready for all affected extensions, we were able to have them reviewed by all stores and pushed to users very quickly. We want to thank our partners at Apple, Google, Microsoft, Mozilla, Opera, Yandex and others who fast-tracked our extension review and release.
Looking ahead
We strongly urge other extension developers to look for this pattern in their code and ensure they are not vulnerable.
We’re in the business of password management; security is and always will be our top priority. We greatly appreciate the work of the security community who challenges our product and works with our teams to ensure we’re delivering a secure service for our users. As a market leader, we get the best of the best testing LastPass and in return our software and our customers benefit.
In an effort to maintain the highest level of security, we will continue to partner with white-hat security researchers and provide incentives to participate in our bug bounty program (https://bugcrowd.com/lastpass). Stay tuned for more to come on this.
Thank you,
The LastPass Team
No comments:
Post a Comment