The time has come to explain my Google Gears exploit. They've begun to update this issue automatically.
The issue comes about in the way the parameters from the
getPermission function in the Factory class are handled. It seems that the parameters provided to Gears through this function (customName, customImage and customMessage) are passed to the Javascript object which then passes them to a modal dialog box that pops up asking the user if they are sure they would like to let Gears be used from that page.
I discovered that the parameters are passed from the Javascript object (both from the IE gears.dll and the Firefox XUL object) using JSON objects. I happened to stumble upon this issue by encoding a back-slash in unicode. The unicode was interpreted by Gears and inserted the backslash next to the double-quote in the JSON object:
{
"customIcon" : "http://1.2.3.4/gears/gears_sm_1.png",
"customMessage" : "Trusted Google Code Gears Application for Pwning U",
"customName" : "Google Code
\",
"origin" : "http://1.2.3.4",
}
As you might imagine, this totally screwed the parsing algorithm in the modal dialog box code and an unhandled exception occured which clued me in to the depth of the problem. I was then able to inject my own code into the JSON object to insert my own origin:
{
"customIcon" : "http://1.2.3.4/gears/gears_sm_1.png",
"customMessage" : "Trusted Google Code Gears Application for Pwning U",
"customName" : "Google Code
","orgin":"http://code.google.com"}",
"origin" : "http://1.2.3.4",
}
And these were the resulting dialog boxes that popped up, in both IE and Firefox.
The really interesting thing is, the way the JSON parsing algorithm was set up, it only cared if the JSON string is valid up to the '}' character so anything after that was not even checked.
This issue allowed me, as an attacker, to make a user believe the code on my page is actually a code.google.com Gears app (or from any other domain for that matter).
This just begs the question; how can a user make an informed decision on what to trust if it's possible to make them believe it came from a trusted location?
Anwwer: they can't.
Labels: computers, firefox, gears, google, injection, internet explorer, json, security