Ajin Abraham

Vimal Jyothi Engineering CollegeCS101

FORCHSUNG 2014

Abusing Exploiting and Pwning with Firefox

Addons.

AGENDA

Introduction Firefox Add-on Structure Firefox Add-on Security Model Exploiting the Weakness Proof of Concept. Techniques used by attackers for Spreading the Add-on. Mitigation Conclusion

INTRODUCTION

Firefox is an awesome Web Browser.

Second most used browser according to w3schools.

Add-on makes it more awesome.

Firefox supports variety of languages for add-on development.

JavaScript with XPConnect, XUL, js-ctypes etc.Google Chrome

Mozilla Firefox

Internet Explorer 3

Apple Safari

Opera

0 10 20 30 40 50

Browser Usage Sta-tistics

Add-on Structure

Bare Minimum Requirements for a Firefox Add-on.

Add-on Structure

chrome.manifest: Register the location of the contents with the Chrome engine.

overlay.xul: XML User Interface defines the GUI.

install.rdf: Gives general information about the add-on.

overlay.js: This file consists of the scripts that runs in the browser engine.

Firefox Add-on Security Model

Absolutely no mechanisms to restrict the privileges of add-on.

Add-on code is fully trusted, not much security checks.No restrictions on Inter Add-on Communication.There is no sandboxing or isolation of the running codes.No restrictions on malicious Cross Origin Resource Sharing.

The Mozilla Platform

Exploitable Features

Abuse “document.addEventListener();” = Keylogger

Abuse File I/O of XPConnect = Read from a confidential file, Run an executable

Hook scripts into Firefox Engine = Access to everything in the Webpages.

No restrictions of Add-on Privileges = Make changes to files, Grab session data.

Abuse XHR object = Exchange of commands/data between a victim and hacker.

By abusing CORS and WebSocket = DDoS

Remote Keylogger

Platform independent Keylogger add-on.

It is implemented by abusing JavaScript.

It hooks into the browser interface and capture the keystrokes from all the tabs and send it to a php script for processing.

Bypass anti-keyloggers like KeyScrambler and On Screen Keyboards.

Undetectable against Anti-Virus Solutions.

Bypassing KeyScrambler

Executable Dropper & TCP Reverse Shell

We can embed and execute an EXE file from an add-on.

This add-on is embedded with an executable reverse shell.

Here we abuse the Process and Thread management features of XPConnect to execute a reverse shell.

Later an attacker will listen to this reverse TCP connection and execute system commands.

Most AV’s wont detect since the executable is packed inside the Add-on file.

Code Sample

Session Stealer

Firefox is having a built-in Session Store feature that saves your session data in a file named "sessionstore.js".

Stealing that file will steal the entire session.

Attacker can upload the “sessionstore.js” file to an FTP account.

AV’s won’t detect.

Linux Password Stealer

Abuse XPConnect and read the Linux Password files (passwd and shadow).

With XHR Object the content is send to the remote attacker.

AV’s Won’t detect.

Distributed Denial of Service

Abuse the CORS and WebSocket = DDoS

Firefox does not impart any restrictions on Cross Domain requests.

WebSocket --> numerous Socket connections.

XHR Object -->numerous GET requests with a fake parameter and random values.

'Access-Control-Allow-Origin' header bypassed.

Zero Detection.

Code Sample

Techniques Used By Attackers for Spreading

Crafted webpage with add-on installation as the minimum requirement

Social Engineering

Cross Site Scripting

Tabnabbing

Mitigation

Never trsust 3rd party addons.

Update Firefox to latest stable build.

Keep a good and regularly updated Anti-Virus & Firewall solutions.

Keylogger Beater Add-on

Reverse and analyze the code.

Disable Session data storing in Firefox.

about:config => browser.sessionstore.resume_from_crash => false

Don’t run Firefox with root privilege.

Use a safe and configured proxy to block reverse TCP and FTP connections

The DDoS attempts can be effectively blocked by analyzing, restricting, and filtering COR's Orgin Header.

Conclusion

Firefox is great platform with wonderful capabilities to start coding, same applies to abusing too.

So i had demonstrated the weakness of Firefox Security Architecture with the POC Add-ons.

AV's are helpless and Filters are Bypassed.

Now it's the part of AV's and Firefox Team to make your browsing environment more secure.

Thank YouAjin Abraham ajin25@gmail.com

http://opensecurity.in

There’s no such thing as a “safe system” – only safer systems.