Abusing Exploiting and Pwning with Firefox Addons

5,194 views

Published on

Published in: Internet
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,194
On SlideShare
0
From Embeds
0
Number of Embeds
3,597
Actions
Shares
0
Downloads
46
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Abusing Exploiting and Pwning with Firefox Addons

  1. 1. Ajin Abraham Vimal Jyothi Engineering College CS101 FORCHSUNG 2014 Abusing Exploiting and Pwning with Firefox Addons.
  2. 2. AGENDA  Introduction  Firefox Add-on Structure  Firefox Add-on Security Model  Exploiting the Weakness  Proof of Concept.  Techniques used by attackers for Spreading the Add-on.  Mitigation  Conclusion
  3. 3. INTRODUCTION  Firefox is an awesome Web Browser.  Second most used browser according to w3schools.  Add-on makes it more awesome.  Firefox supports variety of languages for add-on development.  JavaScript with XPConnect, XUL, js-ctypes etc. 0 20 40 60 Google Chrome Mozilla Firefox Internet Explorer 3 Apple Safari Opera Browser Usage Statistics
  4. 4. Add-on Structure Bare Minimum Requirements for a Firefox Add-on.
  5. 5. Add-on Structure  chrome.manifest: Register the location of the contents with the Chrome engine.  overlay.xul: XML User Interface defines the GUI.  install.rdf: Gives general information about the add-on.  overlay.js: This file consists of the scripts that runs in the browser engine.
  6. 6. Firefox Add-on Security Model Absolutely no mechanisms to restrict the privileges of add-on. Add-on code is fully trusted, not much security checks. No restrictions on Inter Add-on Communication. There is no sandboxing or isolation of the running codes. No restrictions on malicious Cross Origin Resource Sharing.
  7. 7. The Mozilla Platform
  8. 8. Exploitable Features  Abuse “document.addEventListener();” = Keylogger  Abuse File I/O of XPConnect = Read from a confidential file, Run an executable  Hook scripts into Firefox Engine = Access to everything in the Webpages.  No restrictions of Add-on Privileges = Make changes to files, Grab session data.  Abuse XHR object = Exchange of commands/data between a victim and hacker.  By abusing CORS and WebSocket = DDoS
  9. 9. Remote Keylogger  Platform independent Keylogger add-on.  It is implemented by abusing JavaScript.  It hooks into the browser interface and capture the keystrokes from all the tabs and send it to a php script for processing.  Bypass anti-keyloggers like KeyScrambler and On Screen Keyboards.  Undetectable against Anti-Virus Solutions.
  10. 10. Bypassing KeyScrambler
  11. 11. Executable Dropper & TCP Reverse Shell  We can embed and execute an EXE file from an add-on.  This add-on is embedded with an executable reverse shell.  Here we abuse the Process and Thread management features of XPConnect to execute a reverse shell.  Later an attacker will listen to this reverse TCP connection and execute system commands.  Most AV’s wont detect since the executable is packed inside the Add-on file.
  12. 12. Code Sample
  13. 13. Session Stealer  Firefox is having a built-in Session Store feature that saves your session data in a file named "sessionstore.js".  Stealing that file will steal the entire session.  Attacker can upload the “sessionstore.js” file to an FTP account.  AV’s won’t detect.
  14. 14. Linux Password Stealer  Abuse XPConnect and read the Linux Password files (passwd and shadow).  With XHR Object the content is send to the remote attacker.  AV’s Won’t detect.
  15. 15. Distributed Denial of Service  Abuse the CORS and WebSocket = DDoS  Firefox does not impart any restrictions on Cross Domain requests.  WebSocket --> numerous Socket connections.  XHR Object -->numerous GET requests with a fake parameter and random values.  'Access-Control-Allow-Origin' header bypassed.  Zero Detection.
  16. 16. Code Sample
  17. 17. Techniques Used By Attackers for Spreading  Crafted webpage with add-on installation as the minimum requirement  Social Engineering  Cross Site Scripting  Tabnabbing
  18. 18. Mitigation  Never trsust 3rd party addons.  Update Firefox to latest stable build.  Keep a good and regularly updated Anti-Virus & Firewall solutions.  Keylogger Beater Add-on  Reverse and analyze the code.  Disable Session data storing in Firefox.  about:config => browser.sessionstore.resume_from_crash => false  Don’t run Firefox with root privilege.  Use a safe and configured proxy to block reverse TCP and FTP connections  The DDoS attempts can be effectively blocked by analyzing, restricting, and filtering COR's Orgin Header.
  19. 19. Conclusion  Firefox is great platform with wonderful capabilities to start coding, same applies to abusing too.  So i had demonstrated the weakness of Firefox Security Architecture with the POC Add- ons.  AV's are helpless and Filters are Bypassed.  Now it's the part of AV's and Firefox Team to make your browsing environment more secure.
  20. 20. Thank You Ajin Abraham ajin25@gmail.com http://opensecurity.in There’s no such thing as a “safe system” – only safer systems.

×