I saw this discussion on V2EX yesterday:

Notice that Chrome’s User-Agent Switcher is a Trojan horse

https://www.v2ex.com/t/389340

For me, a veteran driver who cares about privacy and security and has studied Chrome extension Trojans, it was a shock. At first I thought I fell for it, but then I found out I didn’t, and if I did, it was a terrifying thing to think about.

Chrome extensions, in Google that is a security audit, so basically feel reliable, but for playing safe for us, are default to install some extensions with a skeptical attitude. Just be careful, do the extensions you install require a lot of permissions? (This is a lot like the Android App permission ecology, the same bad habit). If these extensions are malicious or XSS, MITM and other vulnerabilities are maliciously exploited, the harm will be great. The extension is larger than a web page (but generally smaller than a local file), at least by ignoring the same-origin policy. This means that if you install a malicious extension, everything in the browser can be monitored and private data can be stolen.

Back in the day, I exploited some extensibility bugs that allowed me, for example, to access one of my links and give you Access to Gmail. Also wrote extension backdoors and related security tools, earlier this aspect is more insecure, third-party extensions can be installed at will, now installation will be much more troublesome, but not impossible.

These are some of my insights into playing Chrome extensions. This time the back door, I manually reverse up very quickly, to give you a simple share experience.

The first is the backdoor extension address:

https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake

Search any Chrome extension download service to download the extension files for analysis. Like this one:

https://chrome-extension-downloader.com/

The extension suffix is CRX, change it to 7Z, just unzip it.

The manifest.json file contains the basic declaration required for this extension, especially the permissions, as follows:

As you can see, this is enough to control all of Chrome’s web behavior if it wants to.

Then go straight to the js file in question: background-js, line 80, which is a large chunk of code with some encryption and can be directly solved using my open source XSS ‘or (http://xssor.io).

Paste this line of code into the ENCODE/DECODE text box of XSS ‘or and click JS BEAUTIFY to decrypt and BEAUTIFY with one click.

The malicious code is hidden in the promo.jpg image. It is read by Canvas technology and executed dynamically using the following technique:

document.defaultView[(typeof r.Ae).charAt(0).toUpperCase() + (typeof r.Ae).slice(1)](n)()

In fact, this technique is equal to:

document.defaultView[Function](n)()

The n variable can be any JavaScript code.

When we debug, we can take these snippets and run them in ENCODE/DECODE of XSS ‘or, using the EVAL CODZ function (next to the JS BEAUTIFY button). Debug output, either alert or console.log, depending on personal preference.

However, since this involves retrieving the data from the image and parsing the output, I wrote a separate page for manual debugging. Here:

http://xssor.io/s/uasbackdoor.html

Note: Separate page debugging can be considered in Chrome developer tools to debug trace output breakpoints.

You can visit it and wait a few seconds to see the contents of the n variable above (from the prom.jpg image and parse). The content is not small, as shown below:

It’s pretty confusing, but we can get to the truth. You can continue to BEAUTIFY it with XSS ‘or’s JS BEAUTIFY, but it’s still pretty confusing because all the variables are embellished and there’s a lot of ES6 syntactic sugar in there, and it’s pretty confusing if you’re not familiar with the new JavaScript standard.

At this point, repeat some of the debugging tips above and debug patiently, no code that can’t be solved.

If you want to get a better sense of what some code snippets mean, it’s worth taking a good look at Chrome extension development.

More details of their own actual combat, here too lazy to expand. From last night’s simple debugging can be concluded that this extension does have backdoor features, but too lazy to go into the details of the logic, as to how much harm, it is not clear at present. However, I would like to share this article with you to be aware of the threat posed by malicious Chrome extensions, and to be careful when using less trusted extensions. Can open a network capture packet analysis whether there is a strange request to send, ability OK, on their own audit, the extension of the source code in accordance with the above way can be easily obtained, after all, are the front end of those things.


Continue advertising, if you want to keep up with some security incidents and learn to exchange some security skills, you can join our paid circle “security skills tree”. 🙂

—————–

Lazy-thought, an official wechat account

A couple of hackers maintaining it, all lazy, all trying to change something