Test bug

[mrrajputhacker]

Date

2021-06-05

Title

Universal XSS Vulnerability in Microsoft Edge Internal Translator. - $20,000 Bounty.

Author

@mrrajputhacker & @Th3Pr0xyB0y

URL

https://x.com/MrRajputHacker/status/1481439205653843968

CVE

CVE :- 2021-34506 , 2021-38641 , 2021-38642

Description

Hello Buddy,

I hope everyone is doing well in this pandemic and making full use of it for learning new stuff in their daily lives. This is a story about hacking into any companies—even the big ones like Facebook, Google, Microsoft, etc. To know how this all began, we need to start from scratch.

On June 3rd, me (@Th3Pr0xyB0y) (Vansh Devgan) and my friend (@MrRajputHacker) (Shivam Kumar Singh) were hunting together on a mail.ru subdomain (program from Hackerone). Unfortunately, that program is in Russian. As we know, Chrome does automatic translation of pages from different languages, but we all use Firefox with Burpsuite to play with web applications. When we were trying to find vulnerabilities on redacted.com (a subdomain of mail.ru), we faced many issues while translating in Firefox.

We tried to look for some extensions on Firefox for translating the page into our plain readable English. While Googling, we found that many extensions had been removed due to vulnerable code. We then thought about how a vulnerable extension could impact browser users. After a while, we realized that these extensions have universal access to any site on the browser. For example, if you are on Facebook.com, they can access the complete DOM of that page, cookies, and anything possible with JavaScript. So, we decided to drop the idea of finding flaws in the mail.ru subdomain.

Here comes the interesting part: as MrRajputHacker had found several vulnerabilities in Microsoft, he started talking about finding flaws in Microsoft. I suggested we exploit a browser or pre-built extensions. Since MrRajputHacker was interested in finding flaws in Microsoft, we (Th3Pr0xyB0y and MrRajputHacker) decided to target Microsoft Edge, as it has a bounty program.

Before moving on to the Microsoft Edge Browser, we thought to try translating the website in Microsoft Edge and test it one last time (as Edge had a new update with a new translator by Microsoft). We went to the same site, and as our mail.ru was filled with XSS payloads, we found that as soon as we translated the page, we got many popups on Microsoft Edge. It looked strange. We again went to Chrome and did the same, but this time, no popup!

So, we both started digging into the platform and found that the Microsoft Edge (internal translator, which comes pre-installed) had vulnerable code. It took any HTML tags with an ">img tag without sanitizing the input or converting the payload into text while translating. So, the internal translator was taking ">img src=x onerror=alert(1)> payload and executing it as JavaScript, as there were no proper validation checks to sanitize or convert the complete DOM into text and then process it for translation.

Below is the code snippet which was affected. It seems the startPageTranslation function was affected:

function translateInternal(originalLang, targetLang, shouldTranslateFullPageInOneGo) {
    resetDataBeforeTranslateCall();
    try {
        originalLang = GetEdgeLanguageCode(originalLang);
        targetLang = GetEdgeLanguageCode(targetLang);
        /**
        * This will call the startPageTranslation function of edge script
        */
        Microsoft.JS.startPageTranslation(originalLang, targetLang, shouldTranslateFullPageInOneGo, ""/*domTranslatorSessionId*/
        , ""/*token*/
        , onSuccessCallback, onTranslateApiCalled, onErrorCallback);
        console.error("edge Translation started");
    } catch (err) {
        console.error("Translate: " + err);
        errorCode = ERROR["UNEXPECTED_SCRIPT_ERROR"];
        return false;
    }
    return true;

To prove that the vulnerability exists, me (Th3Pr0xyB0y) and MrRajputHacker created a POC.html file which contains all text in different languages with a famous XSS payload "><img src=x onerror=alert(1)>.

You can find the code snippet below for POC.html file:

<b><u>SOME TEXT IN DIFFERENT LANGUAGE </u></b>
<br>

Políticas de Privacidade
Usaremos seus dados pessoais para resolver disputas, solucionar problemas e aplicar nossos Termos e Condições de Uso.

<br>

Para prevenir abusos no app/site, o Badoo usa decisões automáticas e moderadores para bloquear contas, como parte de seu procedimento de moderação. Para isso, nós conferimos contas e mensagens para encontrar conteúdo que indicam quebra dos nossos Termos e Condições de Uso. Isso é feito através de uma

<b><u>OUR PAYLOAD IN TEXT FORM </u></b>
<br>
<br>

"><img src=x onerror=alert(1)>

<br>
<br>
<br>
Políticas de Privacidade
Usaremos seus dados pessoais para resolver disputas, solucionar problemas e aplicar nossos Termos e Condições de Uso.

POC.HTML FILE CONTENT

Now comes the special part of this blog: Exploitation, or Steps to Reproduce, & Description of Vulnerability.

Vulnerability Name

uXSS (Universal Cross Site Scripting)

Description Of Vulnerability

Unlike common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions to generate an XSS condition and execute malicious code. When such vulnerabilities are found and exploited, the behavior of the browser is affected, and its security features may be bypassed or disabled.

Steps To Reproduce

1. Download POC.html file from the above code snippet or copy-paste code in a file > name it as POC.html and save it.

2. Start Python server in the same folder where your POC file is located on localhost using the command given below:

   python3 -m http.server 80

3. Open Microsoft Edge (Version 91.0.864.48 (Official build) (arm64)) & Visit http://localhost/POC.html.

   Most probably, when you read this article, it has already been updated to a secure version, so that is the reason why you can’t reproduce it.

4. The translator will show you a message that this page is in another language. Would you like to translate? Click on the translate button.

5. Boom! You got alert(1).

Please Note: The reason we spin up the Python server even for HTML files is simple. Sometimes the translator doesn’t show up for translating text on just opening of HTML page, maybe because the document.location is about:html when we just open HTML file.

Two Conditions For Remote Exploit

1. Person should be using Microsoft Edge.
2. Person should have AutoTranslate on.

POC VIDEO → Watch here

uXSS Microsoft Edge Translator Vulnerability POC CVE-2021-34506

Impact

We can summarize the impact in four statements given below:

1. Any page reflecting "><img src=x onerror=alert(1)> (or any XSS payload) is vulnerable. We just need reflection.
2. Any person from another country (who doesn’t know English) reading about XSS on an English site is vulnerable → as he will translate (XSS will pop up).
3. All users using Edge are vulnerable to XSS which can trigger on any website.
4. Any person who will receive an email or message containing content in a different language + XSS payload (is vulnerable).

There are so many possibilities that can happen with this attack vector.

This vulnerability is known as Universal XSS.

Now, How We Could Have Hacked Google & Facebook

Facebook → We created a profile with a name in a different language and XSS payload and sent a friend request to a victim (he is using Edge). As soon as he checks our profile, he got hacked (XSS popup because of auto translation).

Watch here

Google → We wrote a review on Google for a company HackENews with a different language + XSS payload. Any person browsing that review link got hacked (XSS popup because of auto translation).

Watch here

YouTube → We created a YouTube video and entered a comment with XSS payload + different language. Anyone viewing that video in Edge got hacked (XSS popup because of auto translation).

YouTube and Google have the same POC video.

Windows Store Application → We found that web-based applications (example: Instagram) on Windows Store are also vulnerable to this attack as Windows Store ships applications with the same Microsoft Edge Translator responsible for triggering the uXSS (Universal XSS) attack.

Watch here

Timeline

• 3rd June 2021: Report sent to Microsoft.
• 7th June 2021: Reply from Microsoft reviewing.
• 8th June 2021: Additional impact information sent.
• 15th June 2021: Report triaged.
• 17th June 2021: Awarded $20,000 bounty.
• 19th June 2021: Pre-release patch.
• 24th June 2021: Patch Update Pushed & CVE ASSIGNED As CVE-2021–34506

---

We have been featured in various media outlets for our work, including:

• PortSwigger: "Microsoft Edge translator contained UXSS flaw exploitable on any web page"
• The Hacker News: "Microsoft Edge Bug Could've Let Hackers Steal Any Online Account"

If you are interested in connecting with us, here are our social media profiles:

Follow Us:

• Twitter: @MrRajputHacker, @Th3Pr0xyB0y
• Instagram: @MrRajputHacker, @vanshdevgan
• LinkedIn: MrRajputHacker, @th3pr0xyb0y

---

[JarLob]

May I ask why are you posting it here? Which of the issue templates does it fit?

[mrrajputhacker]

testing bug