[Greasemonkey] Alternative script injection technique proof of concept

John Plsek gm at plsek.id.au
Thu Jul 21 17:52:04 EDT 2005


Okay ... of the two issues, the minor problem is script-leakage, the 
major problem being the "exposure" of the GM_ functions.

With the latest 0.4 (not 0.4.1) that I have (I think it was attempt 3, 
release 3!) I've been looking in to the exploit. So far, the only way 
I've seen the GM_ functions get grabbed is through 
window.watch("GM_apis", xxx);

by making the following changes in dochandler.js, it stops that method

        var toInject = ["(function(",
                "GM_xmlhttpRequest, GM_registerMenuCommand, GM_setValue, ",
                "GM_getValue, GM_log, GM_openInTab) { delete 
window.GM_apis; ",
                getContents(getScriptChrome(script.filename)),
                "\n}).apply(this, window.GM_apis);"
                ].join("");
+        var saveUnwatch=this.contentWindow.unwatch; // ???
+        var saveWatch=this.contentWindow.watch; // ???
+        delete this.contentWindow.unwatch;
+        delete this.contentWindow.watch;
+        this.contentWindow.unwatch("GM_apis");
    this.contentWindow.GM_apis = [xmlhttpRequest,
                                  registerMenuCommand,
                                                          setValue,
                                  getValue,
                                  log,
                                  GM_openInTab];

    scriptElm.appendChild(this.contentWindow.document.
                          createTextNode(toInject));

      this.contentWindow.document.body.appendChild(scriptElm);
      this.contentWindow.document.body.removeChild(scriptElm);
+      if(saveUnwatch) this.contentWindow.unwatch=saveUnwatch; // ???
+      if(saveWatch)   this.contentWindow.watch=saveWatch; // ???
    }
    GM_log("* injected '" + script.name + "':"+script.flag);   


the saveWatch/saveUnwatch purley so "legitimate replacement" of 
window.watch/unwatch aren't clobbered ... although, I don't see why a 
legitimate script would do that, plus it means greasemonkey scripts 
can't "redefine" them either - I'm of the opinion the lines I marked // 
??? are unnecessary.

Let me know what you think ... does this resolve the "major" security 
issue? Or is there some other way the GM_ functions can be retreived by 
a malicious script?

John


More information about the Greasemonkey mailing list