Nevertheless, in the bug report, Ormandy said LastPass initially told him that “they couldn't get my exploit to work, but I checked my Apache access logs and they were using a Mac. It doesn’t seem like rocket science to grasp that Windows Calculator will only run on Windows.
If you are running a vulnerable LastPass browser extension version, then Ormandy’s proof-of-concept demonstration will run Windows Calculator.
Lastpass chrome extension code#
If “Binary Component” is installed – it is on by default in Firefox and Internet Explorer – then Ormandy said, “This even allows arbitrary code execution.” In case you don’t know, remote code execution (RCE) is a critical vulnerability and as bad as a flaw gets you could think of it like the devil – unless of course you are a bad guy wanting to remotely control your target’s computer and then it would be your friend. His bug report explained that there are hundreds of internal privileged LastPass RPC commands, but LastPass users wouldn’t want bad actors accessing RPCs which would allow passwords to be copied.
“There are a lot of RPCs, allowing complete control of the LastPass extension, including stealing passwords,” Ormandy wrote. He developed a working exploit for a Windows box running the LastPass Chrome extension, but said it “could be made to work on other platforms.” He sent the details to LastPass before adding:įull exploit is two lines of javascript. Ormandy originally said the LastPass bug affected 4.1.42 Chrome and Firefox browser extensions.
LastPass said it patched the vulnerability in its Chrome extension and said it is working on a fix for the flaw in its Firefox add-on. Tavis Ormandy, a security researcher on Google’s Project Zero team, warned of flaws in LastPass browser extensions, vulnerabilities which – if a person surfed to a malicious site – would allow the malicious site to steal passwords from the password manager.
0 kommentar(er)
