This presentation demonstrates how the Mozilla Firefox platform could potentially be misused through malicious extensions or cross-context switching attacks. It discusses the modular and pluggable nature of Firefox extensions, and shows how extensions can be installed without review and gain full system privileges. The presentation then demonstrates attacks like keylogging, executing native code, and extracting passwords by building a malicious extension. It also explores techniques like cross-context switching and event handler attacks to subvert extension security. Developers are advised to follow security best practices to avoid these kinds of issues in their own extensions.

1. Firefox (in)SecurityPrasanna K Dead Pixel

2. What & Who This presentation demonstrates strength of the Mozilla platform and how some of the features could be misused by malicious users. This presentation is intended to dispel a common mythJust using FIREFOX keeps you SECURE

3. AgendaBasic premiseUnderstanding the Mozilla PlatformAttacking Firefox Malicious Extensions XCSSome basic points to watch….That’s All Folks …

4. IntroductionBrowser of the choice for millions

5. Multi Platform

6. Modular and Scalable !

7. Pluggable Extension Code !

8. Browser of my Choice Mozilla Platform

9. Mozilla Platform Chrome: It could be used to indicate a “Special Trusted Zone” within the Mozilla Platform

10. Mozilla Platform XUL (pronounced "zool") : Mozilla's XML-based language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet. <?xml version="1.0"?><?xml-stylesheethref="chrome://global/skin/" type="text/css"?><window id="vbox example" title="Example 3...."xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <vbox> <button id="yes" label="Yes"/> <button id="no" label="No"/> <button id="maybe" label="Maybe"/> </vbox></window>

11. Mozilla Platform XBL:XML-based markup language used to declare the behavior and look of XUL-widgets and XML elements.scrollbar { -moz-binding: url('somefile.xml#binding1'); }-- “binding1” is the id of the binding

12. Mozilla Platform XPCOM:Cross platform component model from Mozilla.Nerve center of the Mozilla platform.XPCOM has some Similarity to CORBA and Microsoft COM.

13. Important Components of Mozilla Platform

14. Mozilla Platform

15. Extension Installation – Mozilla SiteReviewed before being added to the Mozilla site.

16. Review process is manual lapses have been found

17. Over 2 billion add-ons as of today and growing

18. Add-ons can be distributed through Mozilla without review as wellhttps://addons.mozilla.org/en-US/firefox/addon/2230/

19. Extension Installation – How else?There is no restriction on any site hosting Mozilla extensions (XPI files)

20. When installing from any site Mozilla pops a warning but the same message appears on the official site (confusing!).

21. Extensions can be installed without warning by other software, USB autorun, login scripts etc. Extension Installation – Alternate MethodPlace a file in the extensions folder in the Mozilla profile directory.

22. The filename should be the id of the extension to be loaded

23. The content of the file should be the location of the extension codeBeware: When this file exists in the folder the extensions is installed automatically it does not require any human interaction.

24. Extension Security!Mozilla extension security model is completely flatExtension code is treated as fully privilegedby FirefoxVulnerabilities in extension code can result in full system compromiseNo security boundaries between extensions An extension can silently modify/alter other extensions

25. The PotentialStatistics – Firefox Browser Market ShareBeyond 20% globally since November 2008, more than 50% in certain regions/countriesSource: Marketshare - marketshare.hitslink.comOver 2 billion add-ons and growing

26. Extensions are Everywhere

27. Concerns on AMOEveryone can write extension and submit to AMO (even us  )AMO review process lacks complete security assessmentFew extensions signed in AMO. Extensions are generally not “signed”. Users trust unsigned extensions.Experimental extension (not approved yet) are publicly available

28. This sums it up

29. Extension and MalwareSome people have already exploited this conceptFormSpy - 2006Downloader-AXM Trojan, poses as the legitimate NumberedLinks 0.9 extensionSteal passwords, credit card numbers, and e-banking login detailsFirestarterfox - 2008Hijacks all search requests through multiple search engines and redirects them through Russian site thebestwebsearch.netVietnamese Language Pack - 2008Shipped with adwareVietnamese Language Pack - 2008Shipped with adwareMight happen in the near future…Malware authors bribe/hack famous/recommended extension developer/vendorInitial benign extension, malware is introduced in a 3rd/4th update

30. Attacking Firefox !Now that we have seen the basic architecture & problem, let’s have some fun 

31. Anatomy of an ExtensionThese are the components of every extension. They are archived together into the XPI file format.Sample Files inside a XPI fileexampleExt.xpi: /install.rdf /chrome.manifest/chrome/ /chrome/content/ /browser.xul /browser.js

32. Malicious ExtensionsWe will build a malicious extension which will Log all Key Strokes and send them remotelyExecute native codeExtract stored passwords Add a malicious site to the NoScriptwhitelistDEMO

33. Interesting FindsIn the course of making this presentation I found some interesting things