abusing exploiting and pwning with firefox addons
TRANSCRIPT
![Page 1: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/1.jpg)
Ajin Abraham
Vimal Jyothi Engineering CollegeCS101
FORCHSUNG 2014
Abusing Exploiting and Pwning with Firefox
Addons.
![Page 2: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/2.jpg)
AGENDA
Introduction Firefox Add-on Structure Firefox Add-on Security Model Exploiting the Weakness Proof of Concept. Techniques used by attackers for Spreading the Add-on. Mitigation Conclusion
![Page 3: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/3.jpg)
INTRODUCTION
Firefox is an awesome Web Browser.
Second most used browser according to w3schools.
Add-on makes it more awesome.
Firefox supports variety of languages for add-on development.
JavaScript with XPConnect, XUL, js-ctypes etc.Google Chrome
Mozilla Firefox
Internet Explorer 3
Apple Safari
Opera
0 10 20 30 40 50
Browser Usage Sta-tistics
![Page 4: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/4.jpg)
Add-on Structure
Bare Minimum Requirements for a Firefox Add-on.
![Page 5: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/5.jpg)
Add-on Structure
chrome.manifest: Register the location of the contents with the Chrome engine.
overlay.xul: XML User Interface defines the GUI.
install.rdf: Gives general information about the add-on.
overlay.js: This file consists of the scripts that runs in the browser engine.
![Page 6: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/6.jpg)
Firefox Add-on Security Model
Absolutely no mechanisms to restrict the privileges of add-on.
Add-on code is fully trusted, not much security checks.No restrictions on Inter Add-on Communication.There is no sandboxing or isolation of the running codes.No restrictions on malicious Cross Origin Resource Sharing.
![Page 7: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/7.jpg)
The Mozilla Platform
![Page 8: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/8.jpg)
Exploitable Features
Abuse “document.addEventListener();” = Keylogger
Abuse File I/O of XPConnect = Read from a confidential file, Run an executable
Hook scripts into Firefox Engine = Access to everything in the Webpages.
No restrictions of Add-on Privileges = Make changes to files, Grab session data.
Abuse XHR object = Exchange of commands/data between a victim and hacker.
By abusing CORS and WebSocket = DDoS
![Page 9: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/9.jpg)
Remote Keylogger
Platform independent Keylogger add-on.
It is implemented by abusing JavaScript.
It hooks into the browser interface and capture the keystrokes from all the tabs and send it to a php script for processing.
Bypass anti-keyloggers like KeyScrambler and On Screen Keyboards.
Undetectable against Anti-Virus Solutions.
![Page 10: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/10.jpg)
Bypassing KeyScrambler
![Page 11: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/11.jpg)
Executable Dropper & TCP Reverse Shell
We can embed and execute an EXE file from an add-on.
This add-on is embedded with an executable reverse shell.
Here we abuse the Process and Thread management features of XPConnect to execute a reverse shell.
Later an attacker will listen to this reverse TCP connection and execute system commands.
Most AV’s wont detect since the executable is packed inside the Add-on file.
![Page 12: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/12.jpg)
Code Sample
![Page 13: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/13.jpg)
Session Stealer
Firefox is having a built-in Session Store feature that saves your session data in a file named "sessionstore.js".
Stealing that file will steal the entire session.
Attacker can upload the “sessionstore.js” file to an FTP account.
AV’s won’t detect.
![Page 14: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/14.jpg)
Linux Password Stealer
Abuse XPConnect and read the Linux Password files (passwd and shadow).
With XHR Object the content is send to the remote attacker.
AV’s Won’t detect.
![Page 15: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/15.jpg)
Distributed Denial of Service
Abuse the CORS and WebSocket = DDoS
Firefox does not impart any restrictions on Cross Domain requests.
WebSocket --> numerous Socket connections.
XHR Object -->numerous GET requests with a fake parameter and random values.
'Access-Control-Allow-Origin' header bypassed.
Zero Detection.
![Page 16: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/16.jpg)
Code Sample
![Page 17: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/17.jpg)
Techniques Used By Attackers for Spreading
Crafted webpage with add-on installation as the minimum requirement
Social Engineering
Cross Site Scripting
Tabnabbing
![Page 18: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/18.jpg)
Mitigation
Never trsust 3rd party addons.
Update Firefox to latest stable build.
Keep a good and regularly updated Anti-Virus & Firewall solutions.
Keylogger Beater Add-on
Reverse and analyze the code.
Disable Session data storing in Firefox.
about:config => browser.sessionstore.resume_from_crash => false
Don’t run Firefox with root privilege.
Use a safe and configured proxy to block reverse TCP and FTP connections
The DDoS attempts can be effectively blocked by analyzing, restricting, and filtering COR's Orgin Header.
![Page 19: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/19.jpg)
Conclusion
Firefox is great platform with wonderful capabilities to start coding, same applies to abusing too.
So i had demonstrated the weakness of Firefox Security Architecture with the POC Add-ons.
AV's are helpless and Filters are Bypassed.
Now it's the part of AV's and Firefox Team to make your browsing environment more secure.
![Page 20: Abusing Exploiting and Pwning with Firefox Addons](https://reader035.vdocument.in/reader035/viewer/2022062418/55527143b4c905d41d8b553d/html5/thumbnails/20.jpg)
Thank YouAjin Abraham [email protected]
http://opensecurity.in
There’s no such thing as a “safe system” – only safer systems.