[HN Gopher] uBlock Origin (and uMatrix) DoS with strict-blocking...
___________________________________________________________________
uBlock Origin (and uMatrix) DoS with strict-blocking filter and
crafted URL
Author : vtriolet
Score : 51 points
Date : 2021-07-14 14:57 UTC (3 days ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| vtriolet wrote:
| I accidentally discovered this denial-of-service vulnerability
| while I was exploring uBlock Origin's codebase to see how some of
| its advanced features work.
|
| It's a basic, excessive-recursion flaw that is noteworthy because
| uBO is installed on millions of devices and because it affects
| uMatrix, which is still used by many security-conscious users
| despite being unmaintained.
|
| I was surprised that the issue had gone unnoticed for so long and
| was hoping my write-up would encourage other developers to take a
| closer look at the uBO codebase. I also wanted to make uMatrix
| users aware of the bug, which does not seem like it will be
| patched.
|
| The uBO and uMatrix ecosystem is quite large: some shared code
| between the two extensions years ago turned into present-day
| vulnerabilities in uBO, uBO (Legacy), uMatrix, eMatrix, nuTensor,
| AdNauseam, and many other lesser-known forks.
|
| I had initially included some mitigation steps for uMatrix in my
| post, but I later realized they were incomplete and removed them.
| I will probably not make similar recommendations in the future,
| especially now that the steps have been quoted elsewhere and I
| cannot easily correct them (whoops).
|
| I have decided to migrate away from uMatrix after my latest
| findings, but other users will have to make their own judgment
| calls.
| pmoriarty wrote:
| What are you using in place of uMatrix?
| minimalist wrote:
| It's worth reaching out to the maintainer of nuTensor, which
| seems to be the most active continuation of uMatrix.
|
| https://github.com/geekprojects/nuTensor
| btdmaster wrote:
| It may not be a perfect solution, but uBO's advanced mode[1]
| might help.
|
| [1] https://github.com/gorhill/uBlock/wiki/Blocking-mode
| vtriolet wrote:
| uBO's advanced mode has been my replacement so far.
|
| I have struggled to use it in the past because I was trying
| to directly map uMatrix rules to uBO dynamic rules, which
| isn't really possible due to syntax differences. I've
| realized now that I'll have to embrace both uBO's dynamic
| rules and uBO's static filters to truly replace uMatrix.
|
| For example, I like to block all XHR requests by default.
| In uMatrix, the rule `* * xhr block` handled this for me.
| While uBO's dynamic-rule syntax does have an
| "xmlhttprequest" keyword, it cannot be used in a blanket
| rule like `* * xmlhttprequest block`. I had to use the
| static filter `*$xhr` to accomplish the same blocking
| instead.
|
| This was a bit awkward at first because I had to
| compartmentalize rules for different request types based on
| the limitations of the dynamic-rule syntax. I've been using
| the uBO wiki on GitHub and r/uBlockOrigin as references to
| help me understand the differences.
|
| I've also been using uBO's logger to help me generate rules
| and filters. Clicking on a blocked request will pop up a
| dialog that can be used for pretty fine-grained blocking.
| Seeing rules change on the fly is also nice for learning
| the intricacies of uBO's filtering capabilities.
| anthk wrote:
| A hosts file is almost as good.
| NavinF wrote:
| Sometimes I wonder if I'm browsing the same internet as
| everyone else. The hosts file was dead a decade ago. Ads are
| served from the same domain as content.
|
| I'm guessing you don't use any websites that are owned by ad
| companies? That's a pretty big chunk of the internet
| vbezhenar wrote:
| The most obnoxious ads for me is Youtube ads nowadays. I could
| live with everything else, but Youtube makes me crazy. And
| hosts can't block youtube ads unfortunately.
|
| PS Youtube Premium is not available in my country.
| wintermutestwin wrote:
| PS you are already paying them with your data. Baubles for
| gold as it were...
| 1vuio0pswjnm7 wrote:
| Its possible to not retrieve ads, at least for some videos. I
| never see ads on the ones I watch. I do not use an ad
| blocker, I just exercise control over HTTP and DNS. Could you
| provide an example of a video where you believe its
| impossible not to retrieve ads.
| vbezhenar wrote:
| Well, literally any video. I used developer tools/network
| to monitor requests and all video fragments for video ads
| are coming from the same domain as main video. Actual
| blocking is implemented by modifying some REST responses
| from youtube backend.
| rasz wrote:
| This doesnt look like DOS, more like a bypass. This is a uBO DOS:
| https://github.com/adventuregamestudio/ags/issues/1329
| uo21tp5hoyg wrote:
| > Notice the browser eating CPU and memory. In Chrome, uBO
| eventually crashes and must be reloaded to work again.
|
| Unless I'm missing something it sounds like a denial of service
| attack?
___________________________________________________________________
(page generated 2021-07-17 23:01 UTC)