Opera's Zero-Day RCE: It's not a soap opera, but it sure has drama. Grab your popcorn and secure your browser!
In a recent investigation by the Guardio Labs research team, a significant zero-day vulnerability surfaced within the popular Opera web browser family. This flaw, allowing attackers to execute malicious files on Windows or MacOS systems (cross-platform) through a specially crafted third-party browser extension, brings attention not just to Opera's susceptibility but also highlights broader challenges in contemporary browser security.
Upon promptly disclosing this finding to Opera's team, their swift response underscores the critical collaboration between security researchers and browser developers in safeguarding users. This article delves into the intricacies of the research process, the identified vulnerability, and the ongoing efforts to fortify digital experiences against the constantly evolving landscape of cyber threats.
Technical Deep Dive: Opera "MyFlaw" Vulnerability
My Flow and the Opera Touch Background Extension
Moving from the realm of Opera's My Flow to the discovery of the RCE Flaw, the My Flow feature captures attention for its smooth operation in facilitating note-taking and file sharing between desktop and mobile devices via the Opera browser. The process involves a simple QR code scan using Opera's mobile app, opening up a chat-style interface that effortlessly handles the exchange of messages and files.
Yet, from a cybersecurity standpoint, a notable concern arises. The chat-like interface introduces an "OPEN" link to any message containing an attached file, allowing users to directly execute the file from the web interface. This suggests a potential interaction between the webpage context and the system API, enabling the execution of a file from the file system outside the usual browser constraints, devoid of a sandbox and limits.
Opera, like many contemporary browsers, is constructed on the Chromium open-source project, sharing core code, capabilities, and design. To distinguish itself and offer unique features, Opera leverages Chromium's built-in customization options, including built-in browser extensions.
These built-in extensions augment functionality and introduce new features. However, a crucial distinction lies in the fact that built-in extensions come pre-installed, cannot be disabled or controlled, and may possess broader capabilities and permissions.
For those curious about these extensions, a peek into their workings is feasible through the browser's dev tools. You can explore the inner workings of your browser by navigating to opera://inspect and selecting "Extensions."
The unique My Flow feature relies on the Opera Touch Background extension to handle all its internal operations. Like any typical extension, it incorporates a manifest file that outlines permissions and capabilities. Notably, the file includes an "externally_connectable" declaration:
"externally_connectable": {
"matches": [
"https://*.flow.opera.com/*",
"https://*.flow.op-test.net/*"
]
}
This declaration signifies that only web resources within the specified domains can communicate with the extension. The interaction occurs through the chrome.runtime.connect API, providing the webpage with access to all the declared handlers within this robust extension. The below were special capabilities discovered for MyFlow:
port.onMessage.addListener(data => {
switch (data.type) {
case 'GET_PAIRING_TOKEN':
wrapResponse(this.getPairingToken(data.value), data);
break;
case 'GET_DEVICES':
wrapResponse(this.getConnectedDevices(true), data);
break;
...
case 'OPEN_FILE':
wrapResponse(this.openFile(data.localFileName), data);
break;
case 'SEND_FILE':
wrapResponse(
this.sendFile(
data.name, data.content, data.file_type, data.preview,
data.messageId, data),
data);
break;
case 'DOWNLOAD_FILE':
wrapResponse(
this.downloadFile(
data.url, data.name, data.iv, data.messageId, data),
data);
break;
...
}
});
The Guardio Labs research team investigated the OPEN_FILE code and discovered that it eventually accesses a native private API inside the browser's core object: opr.operaTouchPrivate.openFile(String filename).
Similarly, the DOWNLOAD_FILE function creates a file at a specified place on the local operating system, particularly under the ~/Downloads/MyFlow/ directory.
Possible Attack Scenarios
When considering possible scenarios, the group anticipates a substantial attack vector: uncovering a way to execute certain handlers might allow for the download and execution of any payload without needing user involvement on the targeted machine. This reveals a powerful attack vector with significant harmful potential.
To tackle this challenge, the initial goal was to identify a pathway for running controlled code within the declared domains under opera.com. This exploration involves navigating the complexities of invoking handlers, setting the stage for a nuanced and potentially impactful series of actions.
The Guardio Labs research team highlights that DOWNLOAD_FILE and OPEN_FILE handlers are only accessible to resources within Opera-controlled domains, serving as a security safeguard. Cross-site scripting (XSS) was initially identified as a potential exploitation method, but since the webpage is fortified against XSS vulnerabilities, alternative tactics must be investigated.
Injecting Code Via Extension Manipulation
The team envisions a more direct approach involving a typical extension with general permissions, comparable to widely adopted tools like ad blockers. Once integrated into the browser, such an extension could potentially inject code into designated URLs, notably pages originating from flow.opera.com.
The team tried a variety of ways to inject code into the pages, as shown below:
Calling chrome.tabs.executeScript using the extension API, which will inject and execute a script. Opera's security policy, which prevents extensions from running code on their Store pages, thwarted this attempt.
An alternative approach is using WebRequest or DeclarativeNetRequest APIs to manipulate requests on a targeted domain. The method involves altering a page's request for a specific resource, such as a JavaScript file.
Bypassing CSP/SRI in an Unexpected Manner
During the analysis carried out by the group on the *.flow.opera.com domain family, a critical infrastructure for various Opera products, potential vulnerabilities have been unearthed. Through the use of urlscan.io, a security tool, this group delved into the domain's history and uncovered persistent HTML pages.
A historical version of a landing page, dating back over two years, lacked crucial security measures now present in the current version. These missing safeguards included the CSP meta tag, and contains a script tag without any integrity check (no SRI).
The external group emphasized the significance of this finding by stating:
"This is exactly what an attacker needs — an unsafe, forgotten, vulnerable to code injection asset, and most importantly — has access to (very) high permission native browser API!"
Simulating “My Flow” to Send Malicious Payload
The team utilized the extension itself to simulate the part of sending the payload using the My Flow application, as they both use the same endpoint under flow.opera.com. They took the following steps:
1. Create a Fake Device Instance:
Make a request to flow.opera.com/v1/devices using the extension, including fabricated information about a mobile device and a public key for encrypting the payload.
Upon completion, you will be provided with a DEVICE ID and TOKEN.
2. Request Pairing Token:
Utilize the GET_PAIRING_TOKEN handler to request a pairing token from the browser.
Acquire a QR code value for the purpose of pairing.
3. Connect and Pair Devices:
Send data to https://flow.opera.com/v1/connect-devices to connect the fake device and pair it with the browser.
4. Encryption of Malicious Payload:
Encrypt the malicious payload using the keys exchanged earlier during device creation.
5. Generate the malicious file:
Utilize the SEND_FILE handler that the browser uses for file transfers from mobile devices.
Utilize the interesting side effect of this handler: it saves a copy of the sent file in the same folder where MyFlow downloads files.
6. Execution of the malicious file:
Trigger the OPEN_FILE call to execute the file from the local storage of the infected browser’s operating system.
Final Challenge: Transitioning from Zero to One Click
The research team discovered a last stumbling block in their process: a permissions barrier for the FILE_OPEN function, which required a certain context for the operation to occur. Their investigation of the My Flow API found that initiating the OPEN_FILE action requires a click event, resulting in a shift from a zero-click to a one-click attack scenario. Despite its lessened strength, the researchers discovered that a one-click assault was remarkably simple to design, needing just a user click anywhere on the screen.
The team took advantage of the fact that users had previously installed the extension, disguised as an ad blocker, by using the familiar "Thank you for installing" screen that usually comes with new extensions. They injected code into this tab and modified it to seem like a Thank you page, encouraging the user to click wherever to perform the desired action. This simple but efficient strategy demonstrated the team's capacity to navigate and overcome obstacles throughout their research activities.
MyFlaw Exploit: A Complete POC Attack Flow on Opera
Let's take a look at a thorough Proof of Concept (POC) attack sequence to see how an attacker may exploit the newly found vulnerability in Opera. This vulnerability has the potential to install malicious payloads on a large number of users' computers worldwide.
Extension Installation (Disguised Entry)
An attacker distributes a browser extension masquerading as an AdBlocker (or similar "useful" software), enticing widespread daily installations.
The extension gains the necessary permissions, specifically DeclerativeNetRequest, which allows malicious payloads to be substituted for script requests.
Handler Trigger (Automatic Trigger)
After being installed, the OnInstalled handler initiates the opening of a vulnerable page from flow.opera.com in a newly created tab.
Code Injection
Crafted JavaScript code is injected into the opened page, subtly altering its appearance and allowing for interaction with the Opera Touch Extension.
Simulated Mobile Device Pairing
The injected code simulates a mobile device pairing with the browser and transfers a malicious file to the system.
Code Execution
The user is prompted to click, which initiates the execution of the transferred malicious file and ends the attack flow in less than a second.
The exploit, as demonstrated in the proof-of-concept run, achieves rapid file execution on the target operating system (Windows or MacOS) in seconds, highlighting its alarming malicious potential.
Conclusion
In conclusion, the MyFlaw vulnerability served as a stark reminder of the ever-evolving landscape of cyber threats. It exposed a critical security flaw within a popular browser extension, potentially impacting millions of users worldwide. However, this discovery also exemplifies the power of responsible security research and collaboration.
The rapid disclosure of Gaurdio Labs' findings with Opera's security team and their prompt reaction to providing a fix highlight the value of open communication and quick action in minimizing vulnerabilities. It reinforces the need for ongoing collaboration between security researchers and browser developers to fortify digital experiences against emerging security risks. As users, developers, and security professionals, staying vigilant and proactive in addressing such vulnerabilities is crucial for maintaining a secure online environment.
References:
Register for instructor-led online courses today!
Check out our free programs!
Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.
Comments