[Greasemonkey] Alternative script injection technique proof of
concept
John Plsek
gm at plsek.id.au
Thu Jul 21 17:52:04 EDT 2005
Okay ... of the two issues, the minor problem is script-leakage, the
major problem being the "exposure" of the GM_ functions.
With the latest 0.4 (not 0.4.1) that I have (I think it was attempt 3,
release 3!) I've been looking in to the exploit. So far, the only way
I've seen the GM_ functions get grabbed is through
window.watch("GM_apis", xxx);
by making the following changes in dochandler.js, it stops that method
var toInject = ["(function(",
"GM_xmlhttpRequest, GM_registerMenuCommand, GM_setValue, ",
"GM_getValue, GM_log, GM_openInTab) { delete
window.GM_apis; ",
getContents(getScriptChrome(script.filename)),
"\n}).apply(this, window.GM_apis);"
].join("");
+ var saveUnwatch=this.contentWindow.unwatch; // ???
+ var saveWatch=this.contentWindow.watch; // ???
+ delete this.contentWindow.unwatch;
+ delete this.contentWindow.watch;
+ this.contentWindow.unwatch("GM_apis");
this.contentWindow.GM_apis = [xmlhttpRequest,
registerMenuCommand,
setValue,
getValue,
log,
GM_openInTab];
scriptElm.appendChild(this.contentWindow.document.
createTextNode(toInject));
this.contentWindow.document.body.appendChild(scriptElm);
this.contentWindow.document.body.removeChild(scriptElm);
+ if(saveUnwatch) this.contentWindow.unwatch=saveUnwatch; // ???
+ if(saveWatch) this.contentWindow.watch=saveWatch; // ???
}
GM_log("* injected '" + script.name + "':"+script.flag);
the saveWatch/saveUnwatch purley so "legitimate replacement" of
window.watch/unwatch aren't clobbered ... although, I don't see why a
legitimate script would do that, plus it means greasemonkey scripts
can't "redefine" them either - I'm of the opinion the lines I marked //
??? are unnecessary.
Let me know what you think ... does this resolve the "major" security
issue? Or is there some other way the GM_ functions can be retreived by
a malicious script?
John
More information about the Greasemonkey
mailing list