Paid Advertising
web application security lab

Turn Any Page Into A Greasemonkey Popup

I was searching for an old Greasemonkey plugin and ran across some weird behavior. Greasemonkey apparently looks at the URL of the page you are going to, and if it ends in .user.js it instantly believes it is a Greasemonkey plugin. There is no way to get around it (even works if Greasemonkey is disabled it turns out). I’m not exactly sure how an attacker would use this against a user other than perhaps a DoS attack of a lot of these. But here is an example of what I’m talking about (only works if you have it installed).

You could do this with any domain simply by adding an extra parameter to the end of the page. This could be used in some form of detection, or could lead to some other form of exploitation as it does download the file to something like file:///C:/DOCUME~1/USERNA~1/LOCALS~1/Temp/test.user.js (although you would have to enumerate the 5 chars of the username to do anything useful with it). It also can be any mime type, such as, images for instance. It doesn’t help to switch rendering engines to IE though, because the .js extension won’t allow IE to render it, even if it isn’t JavaScript. Anyway, it was more odd than anything and maybe someone else can find some way to exploit it - I for some reason thought Greasemonkey at least looked at the first several lines of the file before deciding something was or wasn’t a Greasemonkey script. Guess not!

One Response to “Turn Any Page Into A Greasemonkey Popup”

  1. Sid Says:

    There was recently a new version of GM. One of the fixes was:
    * Bug fix: Install UI should not pop up when Greasemonkey is disabled.

    Having said that people don’t often disable JS. Perhaps it should always disable itself on domains it’s not running on and use an alternate method for installing the files.