LastPass Cross-Site Scripting Payload

Recently I decided to clone all client-side code from the LastPass application and turn it into a Cross-Site Scripting (XSS) payload. This can be injected into a parameter vulnerable to XSS and used in conjunction with Social Engineering to steal users LastPass credentials in the event they have not implemented additional protections such as multifactor authentication. In practice, this tactic proved to be surprisingly effective…

The payload can be downloaded here:
http://github.com/gfoss/LastPass-xss-payload

Using this payload is simple, all you need to do is host the source code on a server that you own, then modify and inject the included ‘xss.html’ contents into a vulnerable parameter. When someone hits the injected page, a LastPass overlay will be displayed, letting them know that their session has expired and they need to re-authenticate.

Figure 1: XSS Payload Overlay

Figure 1: XSS Payload Overlay

Clicking on the ‘Login’ link will take them to the false LastPass login form on your server.

Figure 2: Cloned LastPass Login Panel

Figure 2: Cloned LastPass Login Panel

All aspects of the payload log the hits and activity to a file called ‘xss.log’. Everything from seeing the XSS overlay to logging in will be captured in this file, giving penetration testers a good idea of how many users initially hit the XSS overlay, the login panel, and finally those who submit their credentials.

Figure 3: XSS Log File

Figure 3: XSS Log File

The key differences that will tip off users that this isn’t the real thing:

  • LastPass Session Expired – Message will not be shown by the real tool. However, this can be tweaked very easily within the scripts.
  • Close button doesn’t work on the overlay – can be modified, this is simply a rough PoC.
  • Login page goes to a remote server as opposed to the browser extension.
  • Login doesn’t actually log the user in – It may be possible to pass this through, but the way LastPass is configured would make this difficult.
  • LastPass will show the form fill overlays on the clone page, this will never happen on the real thing.
 Persistent XSS Attack Example (click to enlarge / restart animation)

Figure 4: Animated – Persistent XSS Attack Example (click to enlarge / restart animation)

While these discrepancies seem obvious, most people did not catch on during my testing. This got me thinking… What could LastPass do to further improve their security to protect against this attack vector? I reached out to LastPass with a few suggestions and they responded with a fix that was deployed in version 3.1.4 of their software.

With the fix in place, if users attempt to enter their LastPass master password into *any* HTML form, they will be warned if it’s not a sanctioned LastPass login form. This new feature gives users the added benefit of discouraging master password reuse outside of LastPass itself.

Figure 5: XSS Attempt following LastPass' Remediation Efforts

Figure 5: XSS Attempt following LastPass’ Remediation Efforts

Following the implementation of this new feature, I tested the phishing detection security control and discovered a flaw that I was able to leverage in order to hide the popup with a few lines of HTML, JavaScript and JQuery. I appended the following script tags to the ‘login.php’ landing page within the HTML header:

<script src="attrib/overlay-block.js"></script>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>

The contents of the ‘overlay-block.js’ script are as follows:

setTimeout(lp, 5);
function lp() {
$(".lpiframeoverlay").hide();
setTimeout(lp, 10);
};

This script forces the legitimate LastPass overlay to remain hidden regardless of the password entered and essentially bypasses the patch. There are many ways to remediate this vulnerability. One option would be to generate either a random or unique class tag for this overlay, this way it would be more difficult to ascertain which elements the attacker would need to block. However, it would still be possible to hide this frame based on the unique style attributes of the div by slightly tweaking the JavaScript.

Following the second review, I worked with LastPass to improve the phishing method they added. Shortly thereafter, they pushed out a new production release which included additional security measures to assist users with handling the Heartbleed vulnerability along with the improved phishing detection. Now, when entering the LastPass master password in any non-sanctioned LastPass login form, a popup from the browser plugin (along with the one embedded in the web page) will appear to alert the user that this is an illegitimate LastPass form.

Figure 6: LastPass Popup Message

Figure 6: LastPass Popup Message

I was later informed that LastPass had in-fact reached out to Google back in 2009, requesting that they add true notification bars to the Google Chrome browser as an added protection mechanism against attacks such as this.

Social Engineering attacks are a very popular and effective attack vector, simply because they are so successful and difficult to detect. This vulnerability disclosure displays the effort that LastPass places in tackling very difficult threats in a creative and effective ways in an effort to assure the security of their customers sensitive information. The folks at LastPass were excellent to work with and the response I received throughout was very positive and constructive.

The LastPass XSS payload is a simple example of an interesting way to exploit a Cross-Site Scripting vulnerability. Attacks such as this are easily detected by a Security Information and Event Management (SIEM) system, as server logs and network flow data will show evidence of an attempted injection attack within the POST/GET HTTP request, alerting security analysts to a possible attack against a Web application within the Demilitarized Zone (DMZ). Ideally, applications properly configured behind a Web Application Firewall (WAF) will block the attacks and alert the Firewall Administrators prior to a successful injection/reflection. With LogRhythm, the Web Application Defense Module (WADM) can be used to alert on such activity and allow the security team to respond in a timely and effective manner.

If you’d like to stay up-to-date on LastPass’ software release notes, please visit the following link:
https://lastpass.com/upgrade.php?fromwebsite=1&releasenotes=1

LastPass Logo

Tags: , , , , , , , ,

none | Security

 

Comments are closed.