Your SlideShare is downloading. ×
0
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Firefox security (prasanna)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Firefox security (prasanna)

2,387

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,387
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
63
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Xp Connect is the scripting front end to underlying Xpcom interfaces
  • Introduction to extensions
  • Xp Connect is the scripting front end to underlying Xpcom interfaces
  • Discuss about Z:\\
  • Xp Connect is the scripting front end to underlying Xpcom interfaces
  • Transcript

    • 1. Firefox (in)Security<br />Prasanna K <br />Dead Pixel<br />
    • 2. What &amp; Who <br />This presentation demonstrates strength of the Mozilla platform and how some of the features could be misused by malicious users. <br />This presentation is intended to dispel a common myth<br />Just using FIREFOX keeps you SECURE <br />
    • 3. Agenda<br />Basic premise<br />Understanding the Mozilla Platform<br />Attacking Firefox <br /> Malicious Extensions<br /> XCS<br />Some basic points to watch….<br />That’s All Folks …<br />
    • 4. Introduction<br /><ul><li>Browser of the choice for millions
    • 5. Multi Platform
    • 6. Modular and Scalable !
    • 7. Pluggable Extension Code !
    • 8. Browser of my Choice </li></li></ul><li>Mozilla Platform<br />
    • 9. Mozilla Platform <br />Chrome: <br />It could be used to indicate a “Special Trusted Zone” within the Mozilla Platform <br />
    • 10. Mozilla Platform <br />XUL (pronounced &quot;zool&quot;) : <br />Mozilla&apos;s XML-based language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet. <br />&lt;?xml version=&quot;1.0&quot;?&gt;<br />&lt;?xml-stylesheethref=&quot;chrome://global/skin/&quot; type=&quot;text/css&quot;?&gt;<br />&lt;window id=&quot;vbox example&quot; title=&quot;Example 3....&quot;<br />xmlns=&quot;http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul&quot;&gt;<br /> &lt;vbox&gt;<br /> &lt;button id=&quot;yes&quot; label=&quot;Yes&quot;/&gt;<br /> &lt;button id=&quot;no&quot; label=&quot;No&quot;/&gt;<br /> &lt;button id=&quot;maybe&quot; label=&quot;Maybe&quot;/&gt;<br /> &lt;/vbox&gt;<br />&lt;/window&gt;<br />
    • 11. Mozilla Platform <br />XBL:<br />XML-based markup language used to declare the behavior and look of XUL-widgets and XML elements.<br />scrollbar { -moz-binding: url(&apos;somefile.xml#binding1&apos;); }<br />-- “binding1” is the id of the binding<br />
    • 12. Mozilla Platform <br />XPCOM:<br />Cross platform component model from Mozilla.<br />Nerve center of the Mozilla platform.<br />XPCOM has some Similarity to CORBA and Microsoft COM. <br />
    • 13. Important Components of Mozilla Platform<br />
    • 14. Mozilla Platform<br />
    • 15. Extension Installation – Mozilla Site<br /><ul><li>Reviewed before being added to the Mozilla site.
    • 16. Review process is manual lapses have been found
    • 17. Over 2 billion add-ons as of today and growing
    • 18. Add-ons can be distributed through Mozilla without review as well</li></ul>https://addons.mozilla.org/en-US/firefox/addon/2230/<br />
    • 19. Extension Installation – How else?<br /><ul><li>There is no restriction on any site hosting Mozilla extensions (XPI files)
    • 20. When installing from any site Mozilla pops a warning but the same message appears on the official site (confusing!).
    • 21. Extensions can be installed without warning by other software, USB autorun, login scripts etc. </li></li></ul><li>Extension Installation – Alternate Method<br /><ul><li>Place a file in the extensions folder in the Mozilla profile directory.
    • 22. The filename should be the id of the extension to be loaded
    • 23. The content of the file should be the location of the extension code</li></ul>Beware: When this file exists in the folder the extensions is installed automatically it does not require any human interaction.<br />
    • 24. Extension Security!<br />Mozilla extension security model is completely flat<br />Extension code is treated as fully privilegedby Firefox<br />Vulnerabilities in extension code can result in full system compromise<br />No security boundaries between extensions An extension can silently modify/alter other extensions<br />
    • 25. The Potential<br />Statistics – Firefox Browser Market Share<br />Beyond 20% globally since November 2008, more than 50% in certain regions/countries<br />Source: Marketshare - marketshare.hitslink.com<br />Over 2 billion add-ons and growing<br />
    • 26. Extensions are Everywhere<br />
    • 27. Concerns on AMO<br />Everyone can write extension and submit to AMO (even us  )<br />AMO review process lacks complete security assessment<br />Few extensions signed in AMO. Extensions are generally not “signed”. Users trust unsigned extensions.<br />Experimental extension (not approved yet) are publicly available <br />
    • 28. This sums it up<br />
    • 29. Extension and Malware<br />Some people have already exploited this concept<br />FormSpy - 2006<br />Downloader-AXM Trojan, poses as the legitimate NumberedLinks 0.9 extension<br />Steal passwords, credit card numbers, and e-banking login details<br />Firestarterfox - 2008<br />Hijacks all search requests through multiple search engines and redirects them through Russian site thebestwebsearch.net<br />Vietnamese Language Pack - 2008<br />Shipped with adware<br />Vietnamese Language Pack - 2008<br />Shipped with adware<br />Might happen in the near future…<br />Malware authors bribe/hack famous/recommended extension developer/vendor<br />Initial benign extension, malware is introduced in a 3rd/4th update<br />
    • 30. Attacking Firefox !<br />Now that we have seen the basic architecture &amp; problem, let’s have some fun  <br />
    • 31. Anatomy of an Extension<br />These are the components of every extension. They are archived together into the XPI file format.<br />Sample Files inside a XPI file<br />exampleExt.xpi:<br /> /install.rdf <br /> /chrome.manifest<br />/chrome/<br /> /chrome/content/<br /> /browser.xul<br /> /browser.js<br />
    • 32. Malicious Extensions<br />We will build a malicious extension which will <br />Log all Key Strokes and send them remotely<br />Execute native code<br />Extract stored passwords <br />Add a malicious site to the NoScriptwhitelist<br />DEMO<br />
    • 33. Interesting Finds<br />In the course of making this presentation I found some interesting things<br />
    • 34. XCS (Cross Context Switching)<br /><ul><li>Cross Context Switching is the art of injecting malicious content into the trusted Chrome Zone.
    • 35. XCS injections occur from untrusted to the trusted zone.
    • 36. PDP was the first person to exploit XCS. </li></li></ul><li>Attacking Event &amp; DOM Handlers <br /><ul><li>Event Handlers implement element properties attributes and behavior.
    • 37. DOM nodes when dragged and dropped move the properties attributes and behavior
    • 38. An extension that trusts DOM content can be subverted by providing malicious content
    • 39. CreateEvent() DOM function can be used to send malicious content to the extension</li></ul>DEMO<br />
    • 40. Bypassing Wrappers<br /><ul><li>Multiple wrappers exist in Firefox and are used to protect privileged interfaces, functions and objects.
    • 41. wrappedJSObject can be used to strip the wrapper protection.</li></ul>DEMO<br />
    • 42. What Can We Look For?<br />Suspicious single file(s) in the extension folder.<br />XPI are archives - can be un-Zipped and checked for any packaged executables<br />Check the install.rdf for common pitfalls mainly &lt;em:hidden&gt;<br />Verify chrome.manifest does not point to other extension folders as it can overwrite functionality.<br />
    • 43. What Should a Developer Do?<br />That’s a whole presentation by itself <br />Don’t bypass wrappers <br />Don’t trust content From the un-trusted context.<br />Don’t use eval()<br />Follow this link : <br />https://developer.mozilla.org/en/Security_best_practices_in_extensions<br />
    • 44. Tools<br />Firebug <br />XULWebDeveloper<br />XPComViewer<br />Venkman<br />Console2<br />Burp<br />
    • 45. Last Words <br />We discussed some ways to subvert the Mozilla Platform <br />This list is not by any means exhaustive<br />There are some strategies like sandboxes which can be bypassed<br />New features like themes open new avenues ! <br />Last, Mozilla is a secure platform but can be made to do lots of tricks… So some care should be taken. <br />
    • 46. Questions<br />
    • 47. Thank You <br />prasanna@deadpixel.org<br />

    ×