Microsoft patched two bugs in its Chromium-based Edge browser last week, one of which could be used by an attacker to bypass security and to remotely inject and execute arbitrary code on any website just by sending a message.
That security-bypassing bug, CVE-2021-34506, is rated CVSS 5.4, or important. Its complexity is low, and an attacker could pull it off without needing any privileges, Microsoft said when it released the fixes on Thursday. An exploit would require user interaction, though.
Microsoft said there are no known exploits, however researchers have published a working proof-of-concept attack.
The flaw stems from a universal cross-site scripting (UXSS) issue that’s triggered when automatically translating web pages using the Edge browser’s built-in Microsoft Translator feature: a feature through which the browser automatically prompts users to translate a webpage when the page is in a language other than those listed under the user’s preferred languages in settings.
As explained by the analysts who found and reported the bug, an UXSS is unlike your more run-of-the-mill XSS attacks in that it “exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition” and to execute malicious code. “When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled,” they said in a posting earlier this month.
Researchers credited for the bug’s discovery are Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh, with CyberXplore Private Limited.
‘What’s Up With This перевод?’
Researchers found the vulnerability on the mail[.]ru subdomain. HackerOne offers bounties of up to $40,000 for critical issues found on mail[.]ru sites.
Given that Chrome doesn’t run automatic translation of pages from different languages, the bug hunters are in the habit of using Firefox with the penetration-testing platform Burp Suite to “play with web applications,” they said.
As they were poking around, looking for vulnerabilities on a mail[.]ru subdomain, they came across a number of issues as the Firefox browser tried to translate.
A hunt for a Firefox translation extension that could help translate the page into English turned up zip. In fact, many extensions get removed because they contain vulnerable code, the analysts said. Well, that got them thinking: How can a vulnerable extension affect browser users?
The answer: a lot. One example: 18 months ago, researchers found 500 malicious Chrome extensions secretly collecting users’ browser data and redirecting them to malware-laced websites. Those bad extensions were downloaded millions of times from Google’s Chrome Web Store before they got sniffed out and yanked.
It occurred to the analysts that extensions have “universal access to any site” on a browser. “Like, if you are on facebook.com, [your browser] can access [the] complete DOM [Document Object Model, an interface to web pages] of that page,” they wrote, including cookies or “anything” that’s “possible with javascript.” That’s when the trio set out to find a flaw in the mail[.]ru subdomain using Microsoft’s Edge browser.
Why pick on Microsoft Edge? It’s like why crooks rob banks: Because that’s where the money is.
“It Has An [sic] Bounty Program”
—CyberXplore Private Limited analysts
First, they decided to try to translate the mail[.]ru website in Microsoft Edge and to test it one last time, given that Edge had a newly updated Translator By Microsoft feature. When the analysts returned to the mail.ru site, that’s when the ka-chings started sounding. It was, in fact, “filled with XSS Payloads,” they wrote. “We found out that as soon as we translated [the] page we got so many popups on Microsoft Edge it looked strange,” they explained, so they flipped back over to Google’s Chrome browser. “This time no popup!” they said.
A little digging turned up vulnerable code in the new Microsoft Edge translator that “takes any html tags having an ‘>img’ tag without sanitising [sic] the input or converting the payload into text while translating,” the analysts described. In other words, the internal translator was taking the “>img src=x onerror=alert(1)>” payload and executing it as javascript without proper validation.
Specifically, they think that the bug is in the “startPageTranslation” code snippet.
PoC: Just a Facebook Comment & a Dab of XSS Payload
In the proof-of-concept (PoC) shown below on Facebook, the researchers demonstrated how to trigger the attack simply by adding a comment to a Facebook video that’s written in a language other than English, along with an XSS payload.
Windows Store applications, such as Instagram, are also vulnerable to the attack, they added, given that the Windows Store uses the same Microsoft Edge Translator that can trigger this UXSS attack.
Dirk Schrader, global vice president at New Net Technologies, told Threatpost on Tuesday that vulnerabilities that exploit XSS are often prevalent because “they are difficult and time-consuming to test for automatically.”
In order to mitigate such bugs, secure coding techniques “at source” are “ultra-critical,” Schrader said. Sound basic? Yes indeed: That’s because the basics “leave most organizations at risk,” he said. Maybe these bugs are tough to fix and suck up time, but they’re worth the effort, he added: “Core security controls such as vulnerability management, patching and configuration hardening are still going to give the best return for protection vs. effort.”
The analysts reported their findings on June 3. They were awarded a $20,000 bounty on June 17, and Microsoft issued a patch last week, on Thursday.
062921 13:36: Corrected an incorrect reference to what the PoC shows: It is, in fact, a Facebook takeover that the analysts featured in their video. Also added input from Dirk Schrader.
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.