SlideShare a Scribd company logo
Exploiting Firefox Extensions


                                     Roberto Suggi Liverani / Nick Freeman
                                                 Security-Assessment.com




Securitybyte & OWASP Confidential
Who Are We?


                 Roberto Suggi Liverani
                   – Senior Security Consultant – Security-
                     Assessment.com
                   – OWASP NZ Leader
                   – http://malerisch.net
                 Nick Freeman
                   – Security Consultant – Security-Assessment.com
                   – http://atta.cked.me
                 Contact us
                   – Roberto.suggi@security-assessment.com
                   – Nick.freeman@security-assessment.com
Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   2
Agenda


                 Introduction

                 Security threats and risks

                 Disclosure summary

                 Exploiting Extensions – a selection of exploits
                 and demos



Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   3
Introduction


                 What are Firefox extensions?
                   – It’s just software
                   – Equivalent of ActiveX
                 What extensions do?
                   – Extend, modify and control browser behaviour
                   – Provides extended/rich functionality and added
                     features
                 Different type of Firefox addons
                   – Extensions
                   – Plugins (Search Engine plugins) and Themes


Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   4
XPConnect:
                                                                            XBL:
                                                                            Chrome:
                                                                            XUL:
                                                                            XPCOM:
                                                                             - middle layerto Extension
                                                                            - provides UIbrowser zone
                                                                             - privilegedcomponents/interfaces
                                                                             – allows creation of new widgets to
                                                                               reusable      allows JavaScript
                                                                                               extensions
                                                                                             Technology
                                                                            interface with XPCOM
                                                                            - combined with CSS, XML and XUL
                                                                             - combined with JavaScript, CSS,
                                                                             – code fully trustedlayer libraries:
                                                                               interact with low
                                                                                               Overview
                                                                             HTML elements system, etc.
                                                                             network, I/O, file
                                                                             -.xul file




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009                                     5
Extension Security Model

                 Mozilla extension security model is nonexistent
                   – Extension code is fully trusted by Firefox
                             • Vulnerability in extension code might result in full system
                               compromise
                   – No security boundaries between extensions
                             • An extension can silently modify/alter another extension
                   – XPCom C++ components subject to memory
                     corruption
                   – Extensions vulnerabilities are platform independent
                   – Lack of security policies to allow/deny Firefox
                     access to internal API, XPCom components, etc
                   – Any Mozilla application with the extension system is
                     vulnerable to same class of issues (e.g. Thunderbird)

Securitybyte & OWASP Confidential             Securitybyte & OWASP AppSec Conference 2009    6
The potential


                 Statistics – Firefox Browser Market Share
                   – Beyond 20% globally since November 2008, more
                     than 50% in certain regions/countries




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   7
Extension downloads boom


                 Statistics – AMO (Addons.Mozilla.Org) Download
                 Trend
                   – 1 billion extension downloads from AMO – Nov 2008




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   8
Extensions are everywhere


    Search engines                     Social                Services              Software/OS/We   Extensions
                                      Networks                                      b Application     Portals
                                                                                       Package

   Google Toolbar                   Del.icio.us         Netcraft Anti-            Skype             AMO (addons
   Google Browser                   Extension           Phishing                  AVG               mozilla org)
   Sync                             Facebook            Toolbar                   Ubuntu            Mozdev
   Yahoo Toolbar                    Toolbar             PhishTank                 LiveLink          Xulplanet
   Ask.com Toolbar                  AOL Toolbar         SiteChecker               (OpenText)
                                    LinkedIn
                                    Browser
                                    Toolbar




Securitybyte & OWASP Confidential                 Securitybyte & OWASP AppSec Conference 2009                      9
The weakest part of the chain


                 Human Factors - users:
                   – Trust
                             • AMO Recommended Extensions
                             • Open Source

                   – Misconception = users expect extensions to be safe
                             • 'according to Softpedia, it's 100% safe‘
                             • NoScript/AdBlockPlus provides false sense of security
                                    – chrome:// URI whitelisted on NoScript, any XSS injection
                                      there is not blocked




Securitybyte & OWASP Confidential                 Securitybyte & OWASP AppSec Conference 2009    10
The weakest part of the chain ctd.
                 Human Factors – developers:
                             • The Mozilla page for building extensions doesn't mention
                               the word 'security' once
                             • Many addon developers do it for a hobby – not necessarily
                               aware of how dangerous a vulnerable extension can be


                 Human Factors – reviewers:
                             • Don’t need to have great knowledge about app / webapp
                               security
                             • Need to follow a few guidelines for what is and isn’t
                               acceptable
                             • These guidelines focus on finding malicious extensions
                             • Vulnerable extensions can quite easily slip through




Securitybyte & OWASP Confidential            Securitybyte & OWASP AppSec Conference 2009   11
Concerns on AMO
                             • Everyone can write an extension and submit it
                             • AMO review process lacks complete security assessment




                             • Few extensions are signed in AMO. Extensions are generally
                               not “signed”. Users trust unsigned extensions.
                             • Experimental extensions (not approved yet) are publicly
                               available

Securitybyte & OWASP Confidential            Securitybyte & OWASP AppSec Conference 2009    12
Extension And Malware
                             • FormSpy - 2006
                                 – Downloader-AXM Trojan, poses as the legitimate
                                   NumberedLinks 0.9 extension
                                 – Steal passwords, credit card numbers, and e-banking
                                   login details
                             • Firestarterfox - 2008
                                 – Hijacks all search requests through multiple search
                                   engines and redirects them through Russian site
                                   thebestwebsearch.net
                             • Vietnamese Language Pack - 2008
                                 – Shipped with adware because the developer was owned
                 Might happen in the near future…
                             • Malware authors bribe/hack famous/recommended
                               extension developer/vendor
                             • Initial benign extension, malware is introduced in an 3rd/4th
                               update
Securitybyte & OWASP Confidential             Securitybyte & OWASP AppSec Conference 2009      13
Abusing Firefox Extensions


                 Finding bugs in Firefox extensions is fun ;-)
                   – Multiple ways to find them – it depends on:
                             •      Nature of the extension
                             •      Logic exposed
                             •      Input and output
                             •      XPCOM components
                             •      Third party API/components


                 Our research focus:
                   – Extension logic, security model and functions
                     exposed
                   – Extension data flow and data injection points

Securitybyte & OWASP Confidential                Securitybyte & OWASP AppSec Conference 2009   14
XSS or Cross Browser Context
                 XSS on steroids
                   – Any input rendered in the chrome is a potential XSS
                     injection point




                   – XSS in chrome is privileged code!
                             • It can interface with XPConnect and XPCOM = 0wn3d!
                             • No SOP restrictions!
                             • Cannot be blocked by NoScript!
Securitybyte & OWASP Confidential           Securitybyte & OWASP AppSec Conference 2009   15
NoScript’s Whitelist




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   16
XSS disclosing /etc/passwd




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   17
Testing for XSS

                   – Run Firefox with console active
                             • firefox.exe -console
                   – To confirm execution of our XSS payload, generate
                     an error into console – dump(error);
                   – Is our XSS in Chrome? Check all window properties -
                     not just window




Securitybyte & OWASP Confidential            Securitybyte & OWASP AppSec Conference 2009   18
Useful XSS payloads
                   – Check use of
                     nsIScriptableUnescapeHTML.parseFragment()
                             • Lack of this might mean use of input black-list filters
                 Method Description                                           Payload
             iframe with data URI            <iframe src =
             and base64 payload              ‘data:text/html;base64,base64XSSpayloadhere’>
             Recursive iframes               <iframe src = “data:text/html,<iframe src =
                                             ‘data:text/html;base64,base64iframe+data+XSSp
                                             ayload’> </iframe”></iframe>
             Embedded XSS                    <embed src=‘javascript:XSSpayload’>
             XSS on DOM events               <img src=‘a’ onerror=XSSpayload>
             XUL injection                   <![CDATA[“<button id=“1” label=“a”
                                             oncommand=‘alert(window)’ />”]]>
             XBL injection                   style=“-moz-
                                             binding:url(data:text/xml;charset=utf-8,XBL)”



Securitybyte & OWASP Confidential             Securitybyte & OWASP AppSec Conference 2009    19
Tools

                       • Firebug
                       • Chromebug – Firebug for chrome, XUL
                       • WebDeveloper – allows more control on page elements,
                         cookies
                       • XPComViewer – shows registered XPCOM
                         components/interfaces
                       • Venkman - JavaScript Debugger
                       • Console2 – advanced error console
                       • ChromeList – File viewer for installed extensions
                       • Execute JS - enhanced JavaScript-Console
                       • DOM Inspector – allows inspecting the DOM
                       • Burp – web proxy
                       • Mozrepl – js shell via telnet service
                       • Sysinternals Tools – regmon, filemon, tcpmon, etc.


Securitybyte & OWASP Confidential        Securitybyte & OWASP AppSec Conference 2009   20
Abusing extensions…
                   Extension          Date              Vendor Response                 Fix Date
                     Name           Disclosed                Date
                     WizzRSS        2009/02/18               2009/02/18                 2009/03/20
               CoolPreviews         2009/03/05         No response, silently            2009/04/20
                                                              fixed
                     FireFTP           N/A                         N/A                  2009/02/19
                      InfoRSS       2009/02/16               2009/02/16                 2009/07/03
               Feed Sidebar         2009/03/04               2009/03/05                 2009/03/14
                         Sage       2009/02/27                     N/A                     N/A
             UpdateScanner          2009/06/08               2009/06/11                 2009/06/15
                 Undisclosed        2009/06/22                     N/A                     N/A
                       Yoono        2009/06/30               2009/06/30                 2009/07/06
                   ScribeFire       2009/07/10               2009/07/15                 2009/07/20
                        Skype          N/A                         N/A                  2009/06/03


                 Total downloads from AMO: 30,000,000+
Securitybyte & OWASP Confidential         Securitybyte & OWASP AppSec Conference 2009                21
Skype


                 Skype (<=3.8.0.188)
                 Issue:
                   – Automatic arbitrary number of calls to arbitrary
                     phone numbers and skypenames
                   – Function skype_tool.call() is exposed to DOM and
                     can be called directly
                   – Skype username injection - skypeusername%00+"
                 Filtering/Protection:
                   – None.
                 Exploit:
                   – Automatic arbitrary phone call to multiple numbers
Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   22
Demo


                 Demo.avi
                 Arbitrary phone calls




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   23
CoolPreviews

                 CoolPreviews – 2.7
                 Issue:
                   – URI is passed to the CoolPreviews Stack without any
                     filtering.
                   – A data: URI is accepted and its content is rendered
                     in the chrome privileged zone.
                   – User triggers exploit by adding the malicious link to
                     the CoolPreviews stack (right-click by default)
                 Filtering/Protection:
                   – No use of URI whitelist
                 Exploit:
                   – data:text/html,base64;payloadbase64encoded
Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   24
Demo

                 Remote Code Execution Payload – invoking
                 cmd.exe




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   25
FireFTP


                 FireFTP (<1.1.4)
                 Issue:
                   – HTML and JavaScript in a server’s welcome message
                     is evaluated when connecting to an FTP server.
                   – The code is executed in the chrome privilege zone
                 Filtering/Protection:
                   – None.
                 Exploit:
                   – Local File Disclosure



Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   26
Demo

                 Local File Disclosure




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   27
Feed Sidebar
                 Feed Sidebar (<3.2)
                 Issue:
                   – HTML and JavaScript in the <description> tags of RSS
                     feeds is executed in the chrome security zone.
                   – JavaScript is encoded in base64 or used as the
                     source of an iframe and executed when the user
                     clicks on the malicious feed item.
                 Filtering/Protection:
                   – <script> tags are stripped
                 Exploit:
                   – &lt;iframe
                     src=&quot;data:text/html;base64,base64encodedjav
                     ascript&quot;&gt;&lt;/iframe&gt;
Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   28
Demo


                 Password stealing




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   29
Sage
                 Sage (<=1.4.3)
                 Issue:
                   – HTML and JavaScript in the <description> tags of RSS
                     feeds is executed in the chrome security zone.
                   – data: URI scheme injection in the <link> tag
                 Filtering/Protection:
                   – No protection
                 Exploit:
                   – <description>&lt;script&gt;dosomethingbad();&lt;scr
                     ipt&gt;</description>
                   – <link>data:text/html;base64,payload</link>


Securitybyte & OWASP Confidential    Securitybyte & OWASP AppSec Conference 2009   30
Demo

                 Compromising NoScript – whitelisting malicious
                 site




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   31
InfoRSS
                 InfoRSS(<=1.1.4.2)
                 Issue:
                   – HTML and JavaScript in the <description> tags of RSS
                     feeds is executed in the chrome security zone.
                   – JavaScript is encoded in base64 or used as the
                     source of an iframe and executed when the user
                     clicks on the malicious feed item.
                 Filtering/Protection:
                   – <script> tags are stripped
                 Exploit:
                   – &lt;iframe
                     src=&quot;data:text/html;base64,base64encodedjav
                     ascript&quot;&gt;&lt;/iframe&gt;
Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   32
Demo

                 Arbitrary Code Execution via BeEF Reloaded
                   – Support for XUL
                   – Mozilla extensions exploitation
                   – Command line option (Windows)




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   33
Yoono


                 Yoono (<6.1.1)
                 Issue:
                   – JavaScript in DOM event handlers such as onLoad is
                     evaluated in the chrome privileged browser zone.
                   – Drag & dropping a malicious image into the preview
                     window executes the JavaScript.
                 Filtering/Protection:
                   – No protection for DOM event handlers.
                 Exploit:
                   – <img src=‘http://somewebsite.tld/lolcatpicture.jpg’
                     onLoad=‘evilJavaScript’>

Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   34
Demo


                 Reverse VNC Using XHR – contents of payload




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   35
Security Disclosure


                 Security disclosure is a new process to
                 extension developers/vendors

                   – Security is underestimated/not understood.
                   – Few posts regarding security vulnerabilities in
                     Firefox extensions in sec mailing-lists as Full
                     Disclosure.
                   – Mozilla security team can now be queried for bugs
                     found in extensions.




Securitybyte & OWASP Confidential   Securitybyte & OWASP AppSec Conference 2009   36
Recommendations


                    – Developers:
                              • Follow OWASP developer’s guide
                              • Read code of similar extensions for ideas on avoiding
                                common bugs
                    – Security professionals:
                              • Adhere to the OWASP testing guide and our presentation
                              • Watch for publications for new ideas on breaking extensions
                    – End-users:
                              •     Don’t trust extensions!
                              •     Examine changelogs of security issues / Bugzilla
                              •     Update addons (after checking the above)
                              •     Consider using Safe Mode (disable all extensions)


Securitybyte & OWASP Confidential                 Securitybyte & OWASP AppSec Conference 2009   37
Thanks!
                                    Roberto.suggi@security-assessment.com
                                    Nick.freeman@security-assessment.com




Securitybyte & OWASP Confidential            Securitybyte & OWASP AppSec Conference 2009   38
References

                   – Research and publications on the topic
                             • Extensible Web Browser Security - Mike Ter Louw, Jin Soon
                               Lim, and V.N. Venkatakrishnan
                                    – http://www.mike.tl/view/Research/ExtensibleWebBrowserSe
                                      curity

                             • Bachelor thesis on Firefox extension security - Julian
                               Verdurmen
                                    – http://jverdurmen.ruhosting.nl/BachelorThesis-Firefox-
                                      extension-security.html

                             • Attacking Rich Internet Applications (kuza55, Stefano Di
                               Paola)
                                    – http://www.ruxcon.org.au/files/2008/Attacking_Rich_Intern
                                      et_Applications.pdf


Securitybyte & OWASP Confidential                Securitybyte & OWASP AppSec Conference 2009      39
References

                             • Firebug – Petko. D. Petkov, Thor Larholm, 06 april 2007
                                    – http://larholm.com/2007/04/06/0day-vulnerability-in-
                                      firebug/
                                    – http://www.gnucitizen.org/blog/firebug-goes-evil/
                             • Tamper Data XSS - Roee Hay – 27 jul 2008
                                    – http://blog.watchfire.com/wfblog/2008/07/tamper-data-
                                      cro.html
                             • GreaseMonkey – ISS – 21 Jul 2005
                                    – http://xforce.iss.net/xforce/xfdb/21453
                             • Sage RSS Reader (pdp & David Kierznowski)
                                 – http://www.gnucitizen.org/blog/cross-context-scripting-
                                   with-sage/
                             • Sage Disclosure:
                                 – https://www.mozdev.org/bugs/show_bug.cgi?id=20610


Securitybyte & OWASP Confidential                Securitybyte & OWASP AppSec Conference 2009   40
References

                   – CoolPreviews
                             • http://www.security-
                               assessment.com/files/advisories/CoolPreviews_Firefox_Ext
                               ension_Security_Advisory.pdf
                   – Update Scanner
                             • http://www.security-
                               assessment.com/files/advisories/CoolPreviews_Firefox_Ext
                               ension_Security_Advisory.pdf
                   – ScribeFire
                             • http://www.security-
                               assessment.com/files/advisories/ScribeFire_Firefox_Extensi
                               on_Privileged_Code_Injection.pdf



Securitybyte & OWASP Confidential            Securitybyte & OWASP AppSec Conference 2009    41
References

                   – Feed Sidebar
                             • http://www.security-
                               assessment.com/files/advisories/ScribeFire_Firefox_Extensi
                               on_Privileged_Code_Injection.pdf
                   – WizzRSS
                             • http://www.security-
                               assessment.com/files/advisories/WizzRSS_Firefox_Extensio
                               n_Privileged_Code_Injection.pdf




Securitybyte & OWASP Confidential            Securitybyte & OWASP AppSec Conference 2009    42

More Related Content

PPTX
Cross Context Scripting attacks & exploitation
PDF
Window Shopping Browser - Bug Hunting in 2012
PDF
Defending Against Application DoS attacks
PDF
Augmented reality in your web proxy
PDF
I got 99 trends and a # is all of them
PDF
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
PDF
When you don't have 0days: client-side exploitation for the masses
ODP
Browser Exploitation Framework Tutorial
Cross Context Scripting attacks & exploitation
Window Shopping Browser - Bug Hunting in 2012
Defending Against Application DoS attacks
Augmented reality in your web proxy
I got 99 trends and a # is all of them
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
When you don't have 0days: client-side exploitation for the masses
Browser Exploitation Framework Tutorial

What's hot (20)

PDF
ZeroNights2012_BeEF_Workshop_antisnatchor
PDF
Owasp AppSecEU 2015 - BeEF Session
PDF
The Future of Firefox and JavaScript
PPTX
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
PDF
Neat tricks to bypass CSRF-protection
PDF
Serverless Security: Defence Against the Dark Arts
DOCX
Web-servers & Application Hacking
PDF
Secuirty News Bytes-Bangalore may 2014
PPTX
Browser exploit framework
PDF
Continuous intrusion: Why CI tools are an attacker’s best friends
PPTX
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
PDF
I'm the butcher would you like some BeEF
PDF
Dark Fairytales from a Phisherman (Vol. II)
PDF
Introducing OWASP OWTF Workshop BruCon 2012
PPTX
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
PDF
TriplePlay-WebAppPenTestingTools
PDF
Anatomy of PHP Shells
PDF
Attacker Ghost Stories - ShmooCon 2014
ZeroNights2012_BeEF_Workshop_antisnatchor
Owasp AppSecEU 2015 - BeEF Session
The Future of Firefox and JavaScript
Firefox OS - The platform you deserve - Firefox OS Budapest workshop - 2013-1...
Bug Bounty Hunter Methodology - Nullcon 2016
Neat tricks to bypass CSRF-protection
Serverless Security: Defence Against the Dark Arts
Web-servers & Application Hacking
Secuirty News Bytes-Bangalore may 2014
Browser exploit framework
Continuous intrusion: Why CI tools are an attacker’s best friends
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
I'm the butcher would you like some BeEF
Dark Fairytales from a Phisherman (Vol. II)
Introducing OWASP OWTF Workshop BruCon 2012
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TriplePlay-WebAppPenTestingTools
Anatomy of PHP Shells
Attacker Ghost Stories - ShmooCon 2014
Ad

Viewers also liked (20)

PPT
Reversing JavaScript
PDF
Bridging the gap - Security and Software Testing
PPT
XPath Injection
PPT
Ajax Security
PDF
State of Web Security RailsConf 2016
PPT
Asegúr@IT IV - Remote File Downloading
KEY
Let's creating your own PHP (tejimaya version)
PDF
Bug Hunting Safari
PPT
Web Spam Techniques
PPT
Black Energy18 - Russian botnet package analysis
PPTX
Xml external entities [xxe]
PDF
Philip Hung Cao - Cloud security, the journey has begun
PPTX
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
PDF
Million Browser Botnet
PPTX
15 Years of Web Security: The Rebellious Teenage Years
PDF
110864103 adventures-in-bug-hunting
PPTX
Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...
PDF
Richard Johnson, high performance fuzzing
PDF
XML と PHP のイケナイ関係 (セキュリティ的な意味で) -Introduction of XXE attack and XML Bomb with...
PPTX
Trần Anh Khoa - Kautilya và Powershell trong kỹ thuật tấn công tiếp cận
Reversing JavaScript
Bridging the gap - Security and Software Testing
XPath Injection
Ajax Security
State of Web Security RailsConf 2016
Asegúr@IT IV - Remote File Downloading
Let's creating your own PHP (tejimaya version)
Bug Hunting Safari
Web Spam Techniques
Black Energy18 - Russian botnet package analysis
Xml external entities [xxe]
Philip Hung Cao - Cloud security, the journey has begun
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Million Browser Botnet
15 Years of Web Security: The Rebellious Teenage Years
110864103 adventures-in-bug-hunting
Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...
Richard Johnson, high performance fuzzing
XML と PHP のイケナイ関係 (セキュリティ的な意味で) -Introduction of XXE attack and XML Bomb with...
Trần Anh Khoa - Kautilya và Powershell trong kỹ thuật tấn công tiếp cận
Ad

Similar to Exploiting Firefox Extensions (20)

PPTX
Trabajo de jose
PPTX
Browsers .
PPTX
Internet browsers by Andres Haydar
PPTX
Browsers
PPTX
Browsers
PPTX
Browsers
PPTX
Web browsers
PPTX
Web browsers
PDF
Mozilla Jetpack SDK - LinuxTag 2010
PDF
Mozilla In Malaysia
PPTX
Surfing of the internet
PPTX
Surfing of the internet
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons
PDF
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
PPTX
Web browsertico
PPT
WS-* Specifications Update 2007
PPT
Flex and .NET Integration
PDF
What's new in web standards?
Trabajo de jose
Browsers .
Internet browsers by Andres Haydar
Browsers
Browsers
Browsers
Web browsers
Web browsers
Mozilla Jetpack SDK - LinuxTag 2010
Mozilla In Malaysia
Surfing of the internet
Surfing of the internet
Abusing, Exploiting and Pwning with Firefox Add-ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
Web browsertico
WS-* Specifications Update 2007
Flex and .NET Integration
What's new in web standards?

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
PDF
Electronic commerce courselecture one. Pdf
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
PDF
Network Security Unit 5.pdf for BCA BBA.
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
PDF
Empathic Computing: Creating Shared Understanding
PDF
Machine learning based COVID-19 study performance prediction
PDF
Unlocking AI with Model Context Protocol (MCP)
PDF
Advanced IT Governance
PDF
cuic standard and advanced reporting.pdf
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
PDF
NewMind AI Monthly Chronicles - July 2025
PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
PDF
KodekX | Application Modernization Development
Per capita expenditure prediction using model stacking based on satellite ima...
Mobile App Security Testing_ A Comprehensive Guide.pdf
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
Electronic commerce courselecture one. Pdf
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
Diabetes mellitus diagnosis method based random forest with bat algorithm
Network Security Unit 5.pdf for BCA BBA.
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
Empathic Computing: Creating Shared Understanding
Machine learning based COVID-19 study performance prediction
Unlocking AI with Model Context Protocol (MCP)
Advanced IT Governance
cuic standard and advanced reporting.pdf
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
NewMind AI Monthly Chronicles - July 2025
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
KodekX | Application Modernization Development

Exploiting Firefox Extensions

  • 1. Exploiting Firefox Extensions Roberto Suggi Liverani / Nick Freeman Security-Assessment.com Securitybyte & OWASP Confidential
  • 2. Who Are We? Roberto Suggi Liverani – Senior Security Consultant – Security- Assessment.com – OWASP NZ Leader – http://malerisch.net Nick Freeman – Security Consultant – Security-Assessment.com – http://atta.cked.me Contact us – Roberto.suggi@security-assessment.com – Nick.freeman@security-assessment.com Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 2
  • 3. Agenda Introduction Security threats and risks Disclosure summary Exploiting Extensions – a selection of exploits and demos Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 3
  • 4. Introduction What are Firefox extensions? – It’s just software – Equivalent of ActiveX What extensions do? – Extend, modify and control browser behaviour – Provides extended/rich functionality and added features Different type of Firefox addons – Extensions – Plugins (Search Engine plugins) and Themes Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 4
  • 5. XPConnect: XBL: Chrome: XUL: XPCOM: - middle layerto Extension - provides UIbrowser zone - privilegedcomponents/interfaces – allows creation of new widgets to reusable allows JavaScript extensions Technology interface with XPCOM - combined with CSS, XML and XUL - combined with JavaScript, CSS, – code fully trustedlayer libraries: interact with low Overview HTML elements system, etc. network, I/O, file -.xul file Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 5
  • 6. Extension Security Model Mozilla extension security model is nonexistent – Extension code is fully trusted by Firefox • Vulnerability in extension code might result in full system compromise – No security boundaries between extensions • An extension can silently modify/alter another extension – XPCom C++ components subject to memory corruption – Extensions vulnerabilities are platform independent – Lack of security policies to allow/deny Firefox access to internal API, XPCom components, etc – Any Mozilla application with the extension system is vulnerable to same class of issues (e.g. Thunderbird) Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 6
  • 7. The potential Statistics – Firefox Browser Market Share – Beyond 20% globally since November 2008, more than 50% in certain regions/countries Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 7
  • 8. Extension downloads boom Statistics – AMO (Addons.Mozilla.Org) Download Trend – 1 billion extension downloads from AMO – Nov 2008 Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 8
  • 9. Extensions are everywhere Search engines Social Services Software/OS/We Extensions Networks b Application Portals Package Google Toolbar Del.icio.us Netcraft Anti- Skype AMO (addons Google Browser Extension Phishing AVG mozilla org) Sync Facebook Toolbar Ubuntu Mozdev Yahoo Toolbar Toolbar PhishTank LiveLink Xulplanet Ask.com Toolbar AOL Toolbar SiteChecker (OpenText) LinkedIn Browser Toolbar Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 9
  • 10. The weakest part of the chain Human Factors - users: – Trust • AMO Recommended Extensions • Open Source – Misconception = users expect extensions to be safe • 'according to Softpedia, it's 100% safe‘ • NoScript/AdBlockPlus provides false sense of security – chrome:// URI whitelisted on NoScript, any XSS injection there is not blocked Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 10
  • 11. The weakest part of the chain ctd. Human Factors – developers: • The Mozilla page for building extensions doesn't mention the word 'security' once • Many addon developers do it for a hobby – not necessarily aware of how dangerous a vulnerable extension can be Human Factors – reviewers: • Don’t need to have great knowledge about app / webapp security • Need to follow a few guidelines for what is and isn’t acceptable • These guidelines focus on finding malicious extensions • Vulnerable extensions can quite easily slip through Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 11
  • 12. Concerns on AMO • Everyone can write an extension and submit it • AMO review process lacks complete security assessment • Few extensions are signed in AMO. Extensions are generally not “signed”. Users trust unsigned extensions. • Experimental extensions (not approved yet) are publicly available Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 12
  • 13. Extension And Malware • FormSpy - 2006 – Downloader-AXM Trojan, poses as the legitimate NumberedLinks 0.9 extension – Steal passwords, credit card numbers, and e-banking login details • Firestarterfox - 2008 – Hijacks all search requests through multiple search engines and redirects them through Russian site thebestwebsearch.net • Vietnamese Language Pack - 2008 – Shipped with adware because the developer was owned Might happen in the near future… • Malware authors bribe/hack famous/recommended extension developer/vendor • Initial benign extension, malware is introduced in an 3rd/4th update Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 13
  • 14. Abusing Firefox Extensions Finding bugs in Firefox extensions is fun ;-) – Multiple ways to find them – it depends on: • Nature of the extension • Logic exposed • Input and output • XPCOM components • Third party API/components Our research focus: – Extension logic, security model and functions exposed – Extension data flow and data injection points Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 14
  • 15. XSS or Cross Browser Context XSS on steroids – Any input rendered in the chrome is a potential XSS injection point – XSS in chrome is privileged code! • It can interface with XPConnect and XPCOM = 0wn3d! • No SOP restrictions! • Cannot be blocked by NoScript! Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 15
  • 16. NoScript’s Whitelist Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 16
  • 17. XSS disclosing /etc/passwd Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 17
  • 18. Testing for XSS – Run Firefox with console active • firefox.exe -console – To confirm execution of our XSS payload, generate an error into console – dump(error); – Is our XSS in Chrome? Check all window properties - not just window Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 18
  • 19. Useful XSS payloads – Check use of nsIScriptableUnescapeHTML.parseFragment() • Lack of this might mean use of input black-list filters Method Description Payload iframe with data URI <iframe src = and base64 payload ‘data:text/html;base64,base64XSSpayloadhere’> Recursive iframes <iframe src = “data:text/html,<iframe src = ‘data:text/html;base64,base64iframe+data+XSSp ayload’> </iframe”></iframe> Embedded XSS <embed src=‘javascript:XSSpayload’> XSS on DOM events <img src=‘a’ onerror=XSSpayload> XUL injection <![CDATA[“<button id=“1” label=“a” oncommand=‘alert(window)’ />”]]> XBL injection style=“-moz- binding:url(data:text/xml;charset=utf-8,XBL)” Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 19
  • 20. Tools • Firebug • Chromebug – Firebug for chrome, XUL • WebDeveloper – allows more control on page elements, cookies • XPComViewer – shows registered XPCOM components/interfaces • Venkman - JavaScript Debugger • Console2 – advanced error console • ChromeList – File viewer for installed extensions • Execute JS - enhanced JavaScript-Console • DOM Inspector – allows inspecting the DOM • Burp – web proxy • Mozrepl – js shell via telnet service • Sysinternals Tools – regmon, filemon, tcpmon, etc. Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 20
  • 21. Abusing extensions… Extension Date Vendor Response Fix Date Name Disclosed Date WizzRSS 2009/02/18 2009/02/18 2009/03/20 CoolPreviews 2009/03/05 No response, silently 2009/04/20 fixed FireFTP N/A N/A 2009/02/19 InfoRSS 2009/02/16 2009/02/16 2009/07/03 Feed Sidebar 2009/03/04 2009/03/05 2009/03/14 Sage 2009/02/27 N/A N/A UpdateScanner 2009/06/08 2009/06/11 2009/06/15 Undisclosed 2009/06/22 N/A N/A Yoono 2009/06/30 2009/06/30 2009/07/06 ScribeFire 2009/07/10 2009/07/15 2009/07/20 Skype N/A N/A 2009/06/03 Total downloads from AMO: 30,000,000+ Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 21
  • 22. Skype Skype (<=3.8.0.188) Issue: – Automatic arbitrary number of calls to arbitrary phone numbers and skypenames – Function skype_tool.call() is exposed to DOM and can be called directly – Skype username injection - skypeusername%00+" Filtering/Protection: – None. Exploit: – Automatic arbitrary phone call to multiple numbers Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 22
  • 23. Demo Demo.avi Arbitrary phone calls Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 23
  • 24. CoolPreviews CoolPreviews – 2.7 Issue: – URI is passed to the CoolPreviews Stack without any filtering. – A data: URI is accepted and its content is rendered in the chrome privileged zone. – User triggers exploit by adding the malicious link to the CoolPreviews stack (right-click by default) Filtering/Protection: – No use of URI whitelist Exploit: – data:text/html,base64;payloadbase64encoded Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 24
  • 25. Demo Remote Code Execution Payload – invoking cmd.exe Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 25
  • 26. FireFTP FireFTP (<1.1.4) Issue: – HTML and JavaScript in a server’s welcome message is evaluated when connecting to an FTP server. – The code is executed in the chrome privilege zone Filtering/Protection: – None. Exploit: – Local File Disclosure Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 26
  • 27. Demo Local File Disclosure Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 27
  • 28. Feed Sidebar Feed Sidebar (<3.2) Issue: – HTML and JavaScript in the <description> tags of RSS feeds is executed in the chrome security zone. – JavaScript is encoded in base64 or used as the source of an iframe and executed when the user clicks on the malicious feed item. Filtering/Protection: – <script> tags are stripped Exploit: – &lt;iframe src=&quot;data:text/html;base64,base64encodedjav ascript&quot;&gt;&lt;/iframe&gt; Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 28
  • 29. Demo Password stealing Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 29
  • 30. Sage Sage (<=1.4.3) Issue: – HTML and JavaScript in the <description> tags of RSS feeds is executed in the chrome security zone. – data: URI scheme injection in the <link> tag Filtering/Protection: – No protection Exploit: – <description>&lt;script&gt;dosomethingbad();&lt;scr ipt&gt;</description> – <link>data:text/html;base64,payload</link> Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 30
  • 31. Demo Compromising NoScript – whitelisting malicious site Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 31
  • 32. InfoRSS InfoRSS(<=1.1.4.2) Issue: – HTML and JavaScript in the <description> tags of RSS feeds is executed in the chrome security zone. – JavaScript is encoded in base64 or used as the source of an iframe and executed when the user clicks on the malicious feed item. Filtering/Protection: – <script> tags are stripped Exploit: – &lt;iframe src=&quot;data:text/html;base64,base64encodedjav ascript&quot;&gt;&lt;/iframe&gt; Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 32
  • 33. Demo Arbitrary Code Execution via BeEF Reloaded – Support for XUL – Mozilla extensions exploitation – Command line option (Windows) Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 33
  • 34. Yoono Yoono (<6.1.1) Issue: – JavaScript in DOM event handlers such as onLoad is evaluated in the chrome privileged browser zone. – Drag & dropping a malicious image into the preview window executes the JavaScript. Filtering/Protection: – No protection for DOM event handlers. Exploit: – <img src=‘http://somewebsite.tld/lolcatpicture.jpg’ onLoad=‘evilJavaScript’> Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 34
  • 35. Demo Reverse VNC Using XHR – contents of payload Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 35
  • 36. Security Disclosure Security disclosure is a new process to extension developers/vendors – Security is underestimated/not understood. – Few posts regarding security vulnerabilities in Firefox extensions in sec mailing-lists as Full Disclosure. – Mozilla security team can now be queried for bugs found in extensions. Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 36
  • 37. Recommendations – Developers: • Follow OWASP developer’s guide • Read code of similar extensions for ideas on avoiding common bugs – Security professionals: • Adhere to the OWASP testing guide and our presentation • Watch for publications for new ideas on breaking extensions – End-users: • Don’t trust extensions! • Examine changelogs of security issues / Bugzilla • Update addons (after checking the above) • Consider using Safe Mode (disable all extensions) Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 37
  • 38. Thanks! Roberto.suggi@security-assessment.com Nick.freeman@security-assessment.com Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 38
  • 39. References – Research and publications on the topic • Extensible Web Browser Security - Mike Ter Louw, Jin Soon Lim, and V.N. Venkatakrishnan – http://www.mike.tl/view/Research/ExtensibleWebBrowserSe curity • Bachelor thesis on Firefox extension security - Julian Verdurmen – http://jverdurmen.ruhosting.nl/BachelorThesis-Firefox- extension-security.html • Attacking Rich Internet Applications (kuza55, Stefano Di Paola) – http://www.ruxcon.org.au/files/2008/Attacking_Rich_Intern et_Applications.pdf Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 39
  • 40. References • Firebug – Petko. D. Petkov, Thor Larholm, 06 april 2007 – http://larholm.com/2007/04/06/0day-vulnerability-in- firebug/ – http://www.gnucitizen.org/blog/firebug-goes-evil/ • Tamper Data XSS - Roee Hay – 27 jul 2008 – http://blog.watchfire.com/wfblog/2008/07/tamper-data- cro.html • GreaseMonkey – ISS – 21 Jul 2005 – http://xforce.iss.net/xforce/xfdb/21453 • Sage RSS Reader (pdp & David Kierznowski) – http://www.gnucitizen.org/blog/cross-context-scripting- with-sage/ • Sage Disclosure: – https://www.mozdev.org/bugs/show_bug.cgi?id=20610 Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 40
  • 41. References – CoolPreviews • http://www.security- assessment.com/files/advisories/CoolPreviews_Firefox_Ext ension_Security_Advisory.pdf – Update Scanner • http://www.security- assessment.com/files/advisories/CoolPreviews_Firefox_Ext ension_Security_Advisory.pdf – ScribeFire • http://www.security- assessment.com/files/advisories/ScribeFire_Firefox_Extensi on_Privileged_Code_Injection.pdf Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 41
  • 42. References – Feed Sidebar • http://www.security- assessment.com/files/advisories/ScribeFire_Firefox_Extensi on_Privileged_Code_Injection.pdf – WizzRSS • http://www.security- assessment.com/files/advisories/WizzRSS_Firefox_Extensio n_Privileged_Code_Injection.pdf Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 42