*36C3 preroll music*

Herald: The next speaker works as a
security consultant at Payatu software

labs, and he loves finding security flaws
in the Microsoft Edge browser. And

incidentally, this is the topic for this
next talk. So please give a big round of

applause to Nikhil Mittal.

*applause*

Nikhil Mittal: So, welcome to the talk:
Breaking Microsoft Edge Extensions

Security Policies. My name is Nikhil, I
work at Payatu Labs. And I am into web

browser vulnerability research. So to
start with this presentation, I would like

to know how many of you uses browser
extensions in general, like... Oh, nice.

So many of us. OK. So a browser extension
is something that extends the

functionality of your web browsers. We
have a typical examples like Adblock Plus,

which I think most of the people uses to
block the ads on some certain sites like

YouTube. And Grammarly and some sort of
password managers as well. So these

extensions are capable of managing most of
your data because they can handle the

cookies, bookmarks, storage, passwords,
history and what not. So that being said,

we all have to agree on a point that these
extensions are powerful, because they can

deal with your cookies, bookmarks and
other sensitive information in the

browsers. So here is how simple AdBlock
Plus extension looks like on Microsoft

Edge, which is pretty much doing its job.
Now. Have you ever tried to figure out

what this extension is capable of doing in
your browser? So if you look at the

settings. Here we have a couple of
permissions, which I've listed down on the

next slide. So it's simple Adblock Plus
extension, can read and change content on

websites that you visit. It can read and
change your favorites. It can see the

websites you visit. It can read and change
anything you send or receive. And it can

also store personal browsing data on your
browser and it can also display

notifications as well. So there are so
many things a simple Adblock Plus

extension can able to do in your browser.
So you might ask like how browsers

recognize these permissions, like a
extension is able to do so many things in

my browser. But how does browser recognize
like where are these permissions coming

from? So here is a permission modeling
browser extensions. So under the source of

every extensions, we have a file called as
manifest.json and inside of manifest.json

file we have a permission area. So, here's
a quick example of a permission area,

where we have some permissions. So the
first one is a https://www.google.com,

which we'll see right after this slide.
The next permission we have is bookmarks

and cookies, history, storage and tabs. So
let's suppose an extension has a

permissions with the bookmarks and
cookies. So that means that extension can

handle your bookmarks. It can manipulate
them. It can edit them. It can remove them

and what not. So the same goes with the
cookies, history as well. And there are

other important permissions as well
available for the browsers. So apart from

these permissions, the most interesting
permission that I was looking for is the

host access permissions. So the host
access permission is something that

defines on which certain domains your
browser extensions should able to run. So

in this case, let's suppose we have
assigned a permissions to a

https://www.google.com. So that means this
extension should able to run on Google.com

only, not even the subdomain that is
developer.google.com or mail.google.com.

So this you can also verify with the tiny
box that says this is allowed to read and

change content on some sites
www.google.com. Now the second permission

we could have in this here is
https://*.google.com. So basically this

also covers the subdomains as well. And
the third possible permission we can have

is *://*.google.com. So basically this is
now not only I'll work on google.com, but

basically on all the protocols as well,
which is HTTP, HTTPS, might be FTP. That

belongs to the particular domain. So apart
from these three permissions, we have the

another permission in the roll, which is
. This permission is so special

because once a browser extension is
assigned to all_urls permissions that can

execute Javascript code on every domain
that you visit. So let's suppose you are

on google.com or maybe you're on bing.com
or anything else it will work on most

probably on every domain. But there are
few restrictions with the all_urls

permissions. That is, it cannot run on
privileged pages. So if privileged pages

in browser is something that contains some
sort of sensitive settings on your browser

data, so you might heard of
chrome://settings, which contains the

password manager for Chrome. And also you
can identify the credit card and debit

card information on chrome://settings as
well. So you can imagine a situation once

the extension is able to run a Javascript
code on Chrome setting page then it can

probably read, or it can steal all of your
passwords and credit and debit card

information as well. So on the Edge, we
have a similar page, which is about:flags.

So here you can see one extension with
 permission is assigned. It can

read and change content on websites you
visit. As for the Edge. So here's a quick

snap of about:flags in Edge. And so if you
look at the first part, you will figure

out there are a few embedded permissions.
Like you can enable Adobe Flash Player.

You can also enable developer features.
And also you can enable and disable allow

an unrestricted memory consumption for the
Web pages as well. And it also has some

standard previews features, like you can
enable / disable some experimental

Javascript features as well. So now you
can imagine what the sensitivity of this

page contains, okay? So let's quickly
build an extension. So that will break

most of the things in Edge. So as I said,
every extension has a manifest.json file

which has all the permission and other
configurations. The second file that we

will be needing is popup.html. So
popup.html is nothing, but it's just

interface for the browser extension. So
basically you might have noticed as soon

as you click on any of the browser
extension, a pop up appears on your window

for that contain some sort of functions.
That is nothing but just a popup.html

file. And then again we have a popup.js
which has all the Javascript code that

executes according to the actions chosen
by the popup.html. So this is how our

extension should have looked. And on the
edge. So we have seen a tiny Microsoft

logo and as soon as you click on it, a
popup will appear. It says, I am the evil

extension and I have two options. The
first one is open. The second one is

execute. So as soon as you click on the
open button, what it does is it will load

google.com on the browser. And as soon as
you click on the execute button, it will

just alert(1) for you. So basically. So
basically the interface is written in

popup.html. And again, as soon as you
click on execute, so the work is done by

popup.js. So let's quickly look at the
source code for the manifest.json file.

The thing to notice here is that you can
figure out the permission area on line

number 10, which is set to
http://www.google.com. That means it's

clear that this extension should be able
to run on google.com only. I mean not on

the subdomains even. So here's the source
code for the popup.html, which is just a

simple HTML file that has two buttons. The
first one is open, the second one is

execute. And it has a popup.js at the end.
So here we have the popup.js. So in very

brief manner. What it does is as soon as
you click on the open button, it loads

google.com. And as soon as you click on
the execute button, it calls the

JavaScript. It alerts document.domain for
you. So there are so many APIs available

for the browser extensions that you can
use like history API and some sort of

proxys API, tabs API. But for me this tabs
API was so interesting because it allows

you to play with different tabs like it
has some function, methods inside, like

tabs.create. So what it does is it allows
you to create a new tab with any arbitrary

domain and it also has tabs.update. And
what it does is it allows you to update

the page with the next URI. And
tabs.duplicate is also important because

it allows you to make a exact replica of
an already open tab. The next method is

tabs.executeScript. So this is pretty
simple. This allows you to execute

JavaScript code and tabs.hide and
tabs.reload, which is pretty easy. And

there are so many other methods as well.
So out of them. The most interesting one

for me was create and update and also the
duplicate method. So let's say if you want

to load a new. So let's say if you want to
load bing.com on a new tab using a browser

extension so you can just write this five
lines of code that calls

browser.tabs.create. And then it passes a
URL which is https www.google.com. So this

is as far as the documentation and this is
for the good boys like not for us. So as

an evil mind, like I was interested to
know, like what would happen if I tried to

load local files instead of a normal
domain? So then I replaced the bing URL

with a particular local file URI to try to
figure out like how browser will treat it.

Will it open it or not? So so the next
moment Edge gives me this nice error.

Like, ok, I can't reach this page and you
make sure you have got the right web

address. That is ms-browser-extension and
then the part for the extension and it

appends the file URI part in the last. So
basically is assumes that this is a

relative path and I'm going to add it with
the extension path and I'm going to try

and I'm going to open it. So since that
particular path doesn't exist, it gives us

an error. So this is not a thing with the
extension as well. But this is in general

like any of the browser. They don't allow
you to load local files at any cost

because this might lead an issue to steal
your local systems files so you can see

the image and the Edge and Chrome
browsers. So here I am trying to load

local files using the Javascript. So every
time it says okay, we are not allowed to

do that because we care about our users
and we will protect them. So since we

figured out this browser.tabs.create
method was not working for us, the next

method that I was looking for the update.
So I tried the same thing with the update

method and somehow it worked for me. So
next. Once I figured out, okay, now I can

load the local files. Now I want to load
the privileged pages because they're also

interesting for me. And it was also
working fine for me at the moment. So here

you can see as well as you click on the
open button browser load, say local file

for me and also a privilege page on Edge.
So I've reported this back to Microsoft,

but, and they quickly responded back to me
saying we don't support download API. So

even if you load the local files, you have
no way to steal it. Like, you literally

cannot do anything by loading the local
files. And we are not going to fix it. So

I said, okay, let's do it another way. So
the next moment the idea came to my mind

is to use the JavaScript URI. A JavaScript
URI is something that start with the

Javascript protocol. It has a particular
syntax like first javascript and then

colon and then the Javascript code. Here
we have a simple examples like as soon as

the a href javascript:alert(1), it gets
rendered in the browser and you click on

the test, a Javascript code will pop up on
your browser. So the good thing about the

JavaScript URI is that they execute in the
main domains reference unlike the data

URIs. So you can look into the image. We
have javascript URI and the data URIs as

well, that points to alert
document.domain. And one Javascript URI

says I'm on htmleditor.squarefree.com.
While the data URI said the null domain.

So basically the data URI was supposed to
execute on the main domains reference a

couple of years back, but then it creates
a lot of mess with the browser. So browser

vendors they decided to execute in the
null domain reference to just to make it

do the safe. So at this point of time I
decided, ok Javascript URIs are like the

best candidate for us, so why not try it?
So I've tried the same Javascript URI with

browser.tabs.create and again, it was, it
doesn't work for me. But again, we have a

friend called dot update method. I tried
the same thing with the JavaScript URI

that points to browser.tabs.update, which
again calls

javascript:alert(document.domain). And it
worked for me this time. So you can figure

it out with this picture. This extension
should have able to run on Google dot com.

Now we are on a big dot com and if you
click on the open button, we have a

Javascript code execution on bing.com.
This is how bad it was, because that's a

total violation of the privacy, because
the user believes that this extension

shouldn't be able to run on the other
domain, except the google.com. So this was

again reported to the Microsoft saying,
okay. So in the last time I reported like

I'm able to load the local files, but you
said I'm not going to fix it. And now we

have a JavaScript code execution as well.
So then again, they said: Okay, like we

got your concern. We understand what
you're trying to say, but can you also

alert users's cookies as well? Like, is it
possible to steal the user's cookies? Then

I said, okay, why not? So instead of
document or domain, you can just use

document.cookie to pop up users cookies as
well. So. Since we have host access

permission bypass on Edge so we can steal
Google e-mails, even Facebook data or

anything like that. So to demonstrate this
attack, let's suppose we have a simple

Google E-mail. It says, I'm a secret
e-mail and I have some coupon code for

thousand dollar cashback. And then there
we have some random coupon code. So to

demonstrate this attack, you can see I'm
using browser.tabs.update that points to a

certain Javascript URI and what it does is
it fetches the particular e-mail with the

particular ID and opens a new tab and send
it to the leak.html. And further, what

leak.html does is it copies the value from
location.hash and write it onto the page.

So as soon as you click on the open
button, if you are on mail.google.com, it

will steal the particular e-mail and
display it back on the attackers domain.

So this is how I was able to steal the
google e-mails. So this proof of concept

was sent to the Microsoft and the same
thing with the local files as well. Like I

thought, okay, now it's working for the
domain. Now what if we tried with the same

thing with the local files as well? So
yeah, in this case it was, it worked as

well. So if you remember in the last in
the past when we were able to load local

files, but Microsoft says, OK, we are not
going to fix it because we don't support

download API. And now we have a Javascript
code execution on local files as well. So

we can chain both of these bugs to steal
the local files as well. So here's a

simple proof of concept. So at first what
we are doing is browser.tabs.update that

points to a file URI. And again,
browser.tabs.update that points to a

javascript URI. So Microsoft was like, OK.
Now we have to fix. But what is next? So

so far we have Javascript code execution
on local files. We also have host access

permission bypass. Now what is next? So
the next thing that came to my mind is

always the privilege pages, as I already
explained the sensitivity of the

privileged pages. So the next moment I was
so excited that this will work on the

privileged pages as well. So again, I
wrote this five line of code and tried to

execute in reference to about:flags. And
surprisingly, it was not, it wasn't

working for me. And I was so surprised,
like why this is not working and like

shaking my head, like, what is wrong? So
the next moment I was trying to figure out

what is wrong with this implementation,
like why it is not working. Maybe there

are some errors in the console. So I try
to open the developer console to figure

out the possible errors. But you can see
there is no such errors at all. So the

reason for that is most of the pages like
the sensitive pages in the browsers like

Chrome, Firefox and even in Edge are
protected by the CSP to make sure there

shouldn't be any JavaScript code
execution. But we cannot see any CSP

errors here as well, which was pretty
strange for me. So then again, I asked to

myself, like, why this black magic is not
working on privileged pages. Even when we

don't have the CSP error, maybe this time
Edge is playing smart. Do we have any

other way to load about:flags in Edge?
Then the next idea that came to my mind is

to use the res protocol. So res protocol
is something that is used to fetch some

sort of resources from a module. So
instead of about:flags, we can call

res://edgehtml.dll/flag.htm and the next
moment it worked. So...

*applause*

Mittal: So this way we have now Javascript
code execution on privileged pages as

well, which is pretty bad. So once you
have Javascript code execution on

privileged pages, you can enable and
disable Adobe Flash Player and there are

other methods, other possible options
which we have already discussed, can also

be possible with the same type, with the
same thing. So again, what we need to do

is to call browser.tabs.update that points
to edgehtml.dll/flags.htm. And again, a

file, again some sort of javascript URI to
fetch, get element by ID and then click on

it. So it will toggle the Adobe Flash
Player setting on the Edge. Again, what is

next? So this was pretty enough for me.
But again, like I was trying to figure out

if we can do something else as well. And
then I start with the reading mode. So a

reading more is a feature implemented in
Edge, which renders a page in a way that

is like kind of pretty easy to read. So in
this process, Edge makes sure that there

shouldn't be any Javascript code execution
on the page. The main purpose for reading

mode is that to provide the users, to
provide a simplified page to the users. So

basically there should not be any
advertisement or something like that. So

for that reason, browser vendors, they
make sure there shouldn't be any

Javascript code execution on reading mode.
And there was one bug with the reading

mode as well, like you cannot put any
document in the reader mode until unless

browser identified its compatibility. But
you can append the read: protocol in the

in the first and then the URL that points
to some sort of domain and then Edge will

load the particular resources in the
reading mode as well. So fortunately, I

tried the same attack on the reading mode
as well. But since the reading more was

protected with their certain CSP and then,
so you can see the CSP error. It says we

do not allow inline script and it really
blocked by the Edge. So reading mode was

kind of safe, at least for the test cases,
but in some certain test cases it worked

for me, but I was not able to I was not
able to reproduce it further. So that's

why I marked it as safe. The other
possible features we can have is the

Javascript code execution on other
extension pages. Like again, you can

imagine a situation: We have... You can
imagine a situation when one extension is

able to disable another extension in
browser, like how bad it will be. So

again, now we are on a internal page that
belongs to Adblock Plus. And if we tried

to run our extension on this page, then
again, we have a CSP violation issues. So

that was safe. The next thing was some CSP
privilege issues because the host

permission will not work if there is any
CSP error. So next, I tried to figure out

if we can use the execute script API to
figure out how to deal with the CSP. So

let's assume we have a page where the CSP
is implemented properly and we have a host

permission for the same. So you can see
the code where we are saying the content

security policy, which is set to default-
src self. And we are using

browser.tabs.executeScript which this code
and then where we have to pass the

JavaScript code, which is a simple
alert(document.domain). So the way

extensions deal with the CSP is that most
of the browsers, they will allow

Javascript from any extensions until
unless they will try to change the DOM

tree of particular documents. So let's
suppose we have the first example right

here. In this case, so as I said, let's
assume we are on a page which has a

perfect CSP in place like this. And we
tried to change the DOM for that

particular page. So the possible base we
have is either we can use document.write

or we can use document.body.innerHTML and
then insert the Javascript code. And then

the other possible way we have is to
generate a random element and then write

inside it. So all these ways to manipulate
the particular DOM tree on a CSP protected

page was not allowed by most of the
browsers like Firefox and Chrome, but it

was not protected in case of Edge like the
executeScript API as straightforward as

execute any of the Javascript code on any
domain, whether you try to change on,

whether you tried to change the DOM on a
CSP protected page or not. Like it doesn't

matter for it. So to conclude with this
presentation is that Edge extensions are

still in development. Most of the APIs are
not supported till the time because and

the Edge that it has moved to the new
Chromium based browser as well. So I'm not

sure whether there is started developing
extensions API or not, but the ActiveTab

is one of the interested permission to
work on because it allows you to execute

Javascript code on the current domain. So
if you are able to perform the same sort

of the same attack of the tabs API as
well. So pretty much you can have all what

I presented here as well. So Microsoft,
they finally decided to fix this bug in

March 19 update with the highest possible
bounty they have with the CVE-2019-0678.

Now, that's it.

Herald: So thank you, Nikhil for an
interesting talk. If you have questions

about the talk, we have three microphones,
one, two and three in each one of the

aisles. If you have a question, please
come to the microphone. We'll start from

microphone number three.
Question: Hi. And thank you for the

interesting talk. I have one question. Is
this back or is this API also relevant for

the new, for the new Edge coming in
January based on Chromium engine?

Mittal: No, I guess. So the APIs are the
same, but since the new Edge is running on

Chrome so they will not support this API
because of they use some others calling

conventions, I guess, I believe. Does that
answer your question?

Q: Yeah. But I have a second one.
Herald: Yeah. Go for it.

Q: Okay. And the second one is you tried
to open the pages via the res Protocol.

But the functionality of those pages, is
it also handled by Edge while opening it

through the res protocol, not about the
about protocol?

Mittal: Yes, I guess.
Q: Okay. They were also working?

Mittal: Yeah.
Q: Okay. Thank you.

Herald: Any more questions from the crowd
or from the internet? Okay. Then another

round of applause for Nikhil for a great
talk.

*36c3 outro music*