Download - Firefox security (prasanna)
![Page 1: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/1.jpg)
Firefox (in)Security
Prasanna K
Dead Pixel
![Page 2: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/2.jpg)
What & Who
This presentation demonstrates strength of the Mozilla platform and how some of the features could be misused by malicious users.
This presentation is intended to dispel a common myth
Just using FIREFOX keeps you SECURE
Independent Security Researcher
DeadPixel Security Research Group
Enjoy Python and rarely C
That should be enough!
![Page 3: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/3.jpg)
Agenda
Basic premise Understanding the Mozilla Platform Attacking Firefox Malicious Extensions XCS Some basic points to watch….
That’s All Folks …
![Page 4: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/4.jpg)
Introduction
•Browser of the choice for millions•Multi Platform •Modular and Scalable ! •Pluggable Extension Code ! •Browser of my Choice
![Page 5: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/5.jpg)
Mozilla Platform
![Page 6: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/6.jpg)
Mozilla Platform
Chrome:
It could be used to indicate a “Special Trusted Zone” within the Mozilla Platform
URL Scheme “chrome://”
Extensions are Chrome Packages
XUL, XBL, CSS, JavaScript, DTD, images
![Page 7: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/7.jpg)
Mozilla Platform
XUL (pronounced "zool") :
Mozilla's XML-based language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet.
<?xml version="1.0"?>
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<window id="vbox example" title="Example 3...."
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<vbox>
<button id="yes" label="Yes"/>
<button id="no" label="No"/>
<button id="maybe" label="Maybe"/>
</vbox>
</window>
XML User Interface Language
Extension User Interface ..
![Page 8: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/8.jpg)
Mozilla Platform
XBL:
XML-based markup language used to declare the behavior and look of XUL-widgets and XML elements.
scrollbar { -moz-binding: url('somefile.xml#binding1'); }
-- “binding1” is the id of the binding
XBL v 2.0
Root Element : <bindings>
Assigned via : "-moz-binding”
![Page 9: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/9.jpg)
Mozilla Platform
XPCOM:
Cross platform component model from Mozilla.
Nerve center of the Mozilla platform.
XPCOM has some Similarity to CORBA and Microsoft COM.
XPCONNECT : JavaScript based glue to connect users and Database
Provides Components and classes for “Memory, File…. Etc”
XPCONNECT is the JS frontend to underlying XPCOM
![Page 10: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/10.jpg)
Important Components of Mozilla Platform
Gecko
Necko
Web Services
Open & Common Standards Like LDAP DTD SQL ….. etc
![Page 11: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/11.jpg)
Mozilla Platform
![Page 12: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/12.jpg)
Extension Installation – Mozilla Site
•Reviewed before being added to the Mozilla site. •Review process is manual lapses have been found •Over 2 billion add-ons as of today and growing •Add-ons can be distributed through Mozilla without review as well
https://addons.mozilla.org/en-US/firefox/addon/2230/
![Page 13: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/13.jpg)
Extension Installation – How else?
•There is no restriction on any site hosting Mozilla extensions (XPI files)•When installing from any site Mozilla pops a warning but the same message appears on the official site (confusing!). •Extensions can be installed without warning by other software, USB autorun, login scripts etc.
![Page 14: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/14.jpg)
Extension Installation – Alternate Method
•Place a file in the extensions folder in the Mozilla profile directory.•The filename should be the id of the extension to be loaded •The content of the file should be the location of the extension code
Beware: When this file exists in the folder the extensions is installed automatically it does not require any human interaction.
![Page 15: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/15.jpg)
Extension Security!
Mozilla extension security model is completely flat
Extension code is treated as fully privileged by Firefox
Vulnerabilities in extension code can result in full system compromise
No security boundaries between extensions An extension can silently modify/alter other extensions
![Page 16: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/16.jpg)
The Potential Statistics – Firefox Browser Market Share
Beyond 20% globally since November 2008, more than 50% in certain regions/countries
Source: Marketshare - marketshare.hitslink.com
Over 2 billion add-ons and growing
![Page 17: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/17.jpg)
Extensions are Everywhere
Search engines
Social Networks
Services Software/OS/Web Applicati
on Package
Extensions
Portals
Security
Google ToolbarGoogle Browser SyncYahoo ToolbarAsk.com Toolbar
Del.icio.us ExtensionFacebook ToolbarAOL ToolbarLinkedIn Browser Toolbar
Netcraft Anti-Phishing ToolbarPhishTank SiteChecker
SkypeAVGUbuntuLiveLink (OpenText)
AMO (addons mozilla org)MozdevXulplanet
TamperDataFireBugHackbarFiresheep
![Page 18: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/18.jpg)
Concerns on AMO
Everyone can write extension and submit to AMO (even us )
AMO review process lacks complete security assessment
Few extensions signed in AMO. Extensions are generally not “signed”. Users trust unsigned extensions.
Experimental extension (not approved yet) are publicly available
![Page 19: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/19.jpg)
This sums it up
![Page 20: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/20.jpg)
Extension and Malware
Some people have already exploited this concept FormSpy - 2006
Downloader-AXM Trojan, poses as the legitimate NumberedLinks 0.9 extension
Steal passwords, credit card numbers, and e-banking login details Firestarterfox - 2008
Hijacks all search requests through multiple search engines and redirects them through Russian site thebestwebsearch.net
Vietnamese Language Pack - 2008 Shipped with adware
Vietnamese Language Pack - 2008 Shipped with adware
Might happen in the near future… Malware authors bribe/hack famous/recommended extension
developer/vendor Initial benign extension, malware is introduced in a 3rd/4th update
![Page 21: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/21.jpg)
Attacking Firefox !
Now that we have seen the basic architecture & problem, let’s have some fun
Malicious Extensions
XCS (Cross site Context Switching)
![Page 22: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/22.jpg)
Anatomy of an Extension
These are the components of every extension. They are archived together into the XPI file format.
Sample Files inside a XPI file
exampleExt.xpi:
/install.rdf
/chrome.manifest
/chrome/
/chrome/content/
/browser.xul
/browser.js
Extensions (XPI) = Archive of files
XUL Overlay is way of attaching XUL to existing Firefox XUL
Easily Distributable
![Page 23: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/23.jpg)
Malicious Extensions
We will build a malicious extension which will
1. Log all Key Strokes and send them remotely
2. Execute native code
3. Extract stored passwords
4. Add a malicious site to the NoScript whitelist
DEMO
![Page 24: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/24.jpg)
Interesting Finds
A single file can install a extension
If GUID is same new extension replaces the old
Most interesting find : extension cannot be hosted on network but what about MAPPED DRIVES?
In the course of making this presentation I
found some interesting things
![Page 25: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/25.jpg)
XCS (Cross Context Switching)
•Cross Context Switching is the art of injecting malicious content into the trusted Chrome Zone.
•XCS injections occur from untrusted to the trusted zone.
•PDP was the first person to exploit XCS.
Attacking Event & DOM Handlers
Bypassing Wrappers
![Page 26: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/26.jpg)
Attacking Event & DOM Handlers
•Event Handlers implement element properties attributes and behavior.
•DOM nodes when dragged and dropped move the properties attributes and behavior
•An extension that trusts DOM content can be subverted by providing malicious content
•CreateEvent() DOM function can be used to send malicious content to the extension
DEMO
![Page 27: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/27.jpg)
Bypassing Wrappers
•Multiple wrappers exist in Firefox and are used to protect privileged interfaces, functions and objects.
• wrappedJSObject can be used to strip the wrapper protection. DEMO
![Page 28: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/28.jpg)
What Can We Look For?
Suspicious single file(s) in the extension folder.
XPI are archives - can be un-Zipped and checked for any packaged executables
Check the install.rdf for common pitfalls mainly <em:hidden>
Verify chrome.manifest does not point to other extension folders as it can overwrite functionality.
![Page 29: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/29.jpg)
What Should a Developer Do?
That’s a whole presentation by itself Don’t bypass wrappers Don’t trust content From the un-
trusted context. Don’t use eval() Follow this link :
https://developer.mozilla.org/en/Security_best_practices_in_extensions
![Page 30: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/30.jpg)
Tools
Firebug XULWebDeveloper XPComViewer Venkman Console2 Burp
![Page 31: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/31.jpg)
Last Words
We discussed some ways to subvert the Mozilla Platform
This list is not by any means exhaustive There are some strategies like
sandboxes which can be bypassed New features like themes open new
avenues ! Last, Mozilla is a secure platform but can
be made to do lots of tricks… So some care should be taken.
![Page 32: Firefox security (prasanna)](https://reader036.vdocuments.site/reader036/viewer/2022081421/55514fbfb4c905bd1c8b5642/html5/thumbnails/32.jpg)
Questions