Firefox (in)Security

Prasanna K

Dead Pixel

What & Who This presentation demonstrates strength of the Mozilla platform and how some of the features could be misused by malicious users. This presentation is intended to dispel a common myth

Just using FIREFOX keeps you SECURE

Independent Security Researcher

DeadPixel Security Research Group

Enjoy Python and rarely C

That should be enough!

Agenda Basic premise Understanding the Mozilla Platform Attacking Firefox Malicious Extensions XCS Some basic points to watch….

That’s All Folks …

Introduction•Browser of the choice for millions•Multi Platform •Modular and Scalable ! •Pluggable Extension Code ! •Browser of my Choice

Mozilla Platform

Mozilla Platform

Chrome: It could be used to indicate a “Special Trusted Zone” within the Mozilla Platform

URL Scheme “chrome://”

Extensions are Chrome Packages

XUL, XBL, CSS, JavaScript, DTD, images

Mozilla Platform XUL (pronounced "zool") : Mozilla's XML-based language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet.

<?xml version="1.0"?><?xml-stylesheet href="chrome://global/skin/" type="text/css"?><window id="vbox example" title="Example 3...."xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <vbox> <button id="yes" label="Yes"/> <button id="no" label="No"/> <button id="maybe" label="Maybe"/> </vbox></window>

XML User Interface Language

Extension User Interface ..

Mozilla Platform XBL:XML-based markup language used to declare the behavior and look of XUL-widgets and XML elements.

scrollbar { -moz-binding: url('somefile.xml#binding1'); }

-- “binding1” is the id of the binding

XBL v 2.0

Root Element : <bindings>

Assigned via : "-moz-binding”

Mozilla Platform XPCOM:Cross platform component model from Mozilla.

Nerve center of the Mozilla platform.

XPCOM has some Similarity to CORBA and Microsoft COM.

XPCONNECT : JavaScript based glue to connect users and Database

Provides Components and classes for “Memory, File…. Etc”

XPCONNECT is the JS frontend to underlying XPCOM

Important Components of Mozilla PlatformGecko

Necko

Web Services

Open & Common Standards Like LDAP DTD SQL ….. etc

Mozilla Platform

Extension Installation – Mozilla Site•Reviewed before being added to the Mozilla site. •Review process is manual lapses have been found •Over 2 billion add-ons as of today and growing •Add-ons can be distributed through Mozilla without review as well

https://addons.mozilla.org/en-US/firefox/addon/2230/

Extension Installation – How else?•There is no restriction on any site hosting Mozilla extensions (XPI files)•When installing from any site Mozilla pops a warning but the same message appears on the official site (confusing!). •Extensions can be installed without warning by other software, USB autorun, login scripts etc.

Extension Installation – Alternate Method•Place a file in the extensions folder in the Mozilla profile directory.•The filename should be the id of the extension to be loaded •The content of the file should be the location of the extension code

Beware: When this file exists in the folder the extensions is installed automatically it does not require any human interaction.

Extension Security!

Mozilla extension security model is completely flat

Extension code is treated as fully privileged by Firefox

Vulnerabilities in extension code can result in full system compromise

No security boundaries between extensions An extension can silently modify/alter other extensions

The Potential Statistics – Firefox Browser Market Share

Beyond 20% globally since November 2008, more than 50% in certain regions/countries

Source: Marketshare - marketshare.hitslink.com

Over 2 billion add-ons and growing

Extensions are EverywhereSearch engines

Social Networks

Services Software/OS/Web Applicati

on Package

Extensions

Portals

Security

Google ToolbarGoogle Browser SyncYahoo ToolbarAsk.com Toolbar

Del.icio.us ExtensionFacebook ToolbarAOL ToolbarLinkedIn Browser Toolbar

Netcraft Anti-Phishing ToolbarPhishTank SiteChecker

SkypeAVGUbuntuLiveLink (OpenText)

AMO (addons mozilla org)MozdevXulplanet

TamperDataFireBugHackbarFiresheep

Concerns on AMO Everyone can write extension

and submit to AMO (even us )

AMO review process lacks complete security assessment

Few extensions signed in AMO. Extensions are generally not “signed”. Users trust unsigned extensions.

Experimental extension (not approved yet) are publicly available

This sums it up

Extension and Malware Some people have already exploited this concept

FormSpy - 2006 Downloader-AXM Trojan, poses as the legitimate NumberedLinks 0.9

extension Steal passwords, credit card numbers, and e-banking login details

Firestarterfox - 2008 Hijacks all search requests through multiple search engines and redirects

them through Russian site thebestwebsearch.net Vietnamese Language Pack - 2008

Shipped with adware Vietnamese Language Pack - 2008

Shipped with adware

Might happen in the near future… Malware authors bribe/hack famous/recommended extension

developer/vendor Initial benign extension, malware is introduced in a 3rd/4th update

Attacking Firefox !

Now that we have seen the basic architecture & problem, let’s have some fun

Malicious Extensions

XCS (Cross site Context Switching)

Anatomy of an ExtensionThese are the components of every extension. They are archived together into the XPI file format.

Sample Files inside a XPI fileexampleExt.xpi: /install.rdf /chrome.manifest/chrome/ /chrome/content/ /browser.xul /browser.js

Extensions (XPI) = Archive of files

XUL Overlay is way of attaching XUL to existing Firefox XUL

Easily Distributable

Malicious Extensions

We will build a malicious extension which will

1. Log all Key Strokes and send them remotely2. Execute native code3. Extract stored passwords 4. Add a malicious site to the NoScript whitelist

DEMO

Interesting Finds

A single file can install a extension

If GUID is same new extension replaces the old

Most interesting find : extension cannot be hosted on network but what about MAPPED DRIVES?

In the course of making this presentation I

found some interesting things

XCS (Cross Context Switching)

•Cross Context Switching is the art of injecting malicious content into the trusted Chrome Zone. •XCS injections occur from untrusted to the trusted zone. •PDP was the first person to exploit XCS.

Attacking Event & DOM Handlers

Bypassing Wrappers

Attacking Event & DOM Handlers

•Event Handlers implement element properties attributes and behavior.•DOM nodes when dragged and dropped move the properties attributes and behavior •An extension that trusts DOM content can be subverted by providing malicious content •CreateEvent() DOM function can be used to send malicious content to the extension

DEMO

Bypassing Wrappers

•Multiple wrappers exist in Firefox and are used to protect privileged interfaces, functions and objects. • wrappedJSObject can be used to strip the wrapper protection. DEMO

What Can We Look For?

Suspicious single file(s) in the extension folder.

XPI are archives - can be un-Zipped and checked for any packaged executables

Check the install.rdf for common pitfalls mainly <em:hidden>

Verify chrome.manifest does not point to other extension folders as it can overwrite functionality.

What Should a Developer Do?

That’s a whole presentation by itself Don’t bypass wrappers Don’t trust content From the un-

trusted context. Don’t use eval() Follow this link :

https://developer.mozilla.org/en/Security_best_practices_in_extensions

Tools

Firebug XULWebDeveloper XPComViewer Venkman Console2 Burp

Last Words We discussed some ways to subvert the

Mozilla Platform This list is not by any means exhaustive There are some strategies like sandboxes

which can be bypassed New features like themes open new

avenues ! Last, Mozilla is a secure platform but can

be made to do lots of tricks… So some care should be taken.

Questions

Thank You

prasanna@deadpixel.org