Firefox  (in)Security<br />Prasanna K <br />Dead Pixel<br />
What  & Who <br />This presentation demonstrates strength of the Mozilla platform and  how some of the features could be M...
Firefox<br />Browser of the choice for  millions <br />Multi Platform <br />Modular and Scalable ! <br />Pluggable Extensi...
Agenda<br />Introduction<br />Mozilla Platform<br />Attacking Firefox <br />       Malicious Extensions<br />XCS<br />Some...
Introduction<br />
Extension Security !<br />Mozilla extension security model is non-existent Extension code is fully trusted by Firefox<br /...
Mozilla Platform <br />Chrome: <br />It could be used to indicate a “Special Trusted Zone” within the Mozilla Platform <br />
Mozilla Platform <br />XUL (pronounced "zool") : <br />Mozilla's XML-based language that lets you build feature-rich cross...
Mozilla Platform <br />XBL:<br />XML-based markup language used to declare the behavior and look of XUL-widgets and XML el...
Mozilla Platform <br />XPCOM:<br />Cross platform component model from Mozilla.<br />Nerve center of the Mozilla platform....
Important Components of Mozilla Platform<br />
Mozilla Platform<br />
Attacking Firefox !<br />Now that we have seen the basic Architecture now for some Fun  <br />
Extensions<br />Extensions Add functionality to Firefox, Thunderbird and Sea-monkey.<br />Sample Files inside a XPI file<b...
Malicious Extensions<br />We will build a Malicious Extension which will <br />Log all Key Strokes and Send Remotely<br />...
Interesting Finds<br />In Course of this presentation I found some interesting finds some have been previously discussed b...
XCS<br /><ul><li>Cross Context Scripting is art of injecting malicious content into trusted Chrome Zone.
XCS injections occur from untrusted to trusted zone.
PDP was the first person to exploit XCS. </li></li></ul><li>Attacking Event & DOM Handlers <br /><ul><li>Events Handlers i...
DOM Nodes when Dragged and Dropped move the properties attributes and behavior
A extension that trusts copied DOM content be can be subverted by sending malicious content
CreateEvent() DOM function can be used to send malicious content to the extension</li></ul>DEMO<br />
Bypassing Wrappers<br /><ul><li>Multiple wrappers exist in Firefox and are used to protect privileged interfaces, function...
 wrappedJSObject can be used to strip the wrapper protection.</li></ul>DEMO<br />
XBL Injection <br /><ul><li> Extends the functionality of elements.
When an extension makes use of bindings, elements within the bindings are attached to the invoking page.
Upcoming SlideShare
Loading in …5
×

Firefox (in)Security

810 views

Published on

This is my Presentation on Firefox Security I presented @ ClubHack 2010

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
810
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Xp Connect is the scripting front end to underlying Xpcom interfaces
  • Introduction to extensions
  • Xp Connect is the scripting front end to underlying Xpcom interfaces
  • Discuss about Z:\\
  • Xp Connect is the scripting front end to underlying Xpcom interfaces
  • Firefox (in)Security

    1. 1. Firefox (in)Security<br />Prasanna K <br />Dead Pixel<br />
    2. 2. What & Who <br />This presentation demonstrates strength of the Mozilla platform and how some of the features could be Mis-Used by malicious users. <br />This presentation is intended to dispel a common Myth<br />FIREFOX is SECURE <br />
    3. 3. Firefox<br />Browser of the choice for millions <br />Multi Platform <br />Modular and Scalable ! <br />Pluggable Extension Code ! <br />Browser of my Choice <br />
    4. 4. Agenda<br />Introduction<br />Mozilla Platform<br />Attacking Firefox <br /> Malicious Extensions<br />XCS<br />Some basic points to watch….<br />That’s All Folks …<br />
    5. 5. Introduction<br />
    6. 6. Extension Security !<br />Mozilla extension security model is non-existent Extension code is fully trusted by Firefox<br />Vulnerability in extension code might result in full system compromise<br />No security boundaries between extensions An extension can silently modify/alter another extension<br />
    7. 7. Mozilla Platform <br />Chrome: <br />It could be used to indicate a “Special Trusted Zone” within the Mozilla Platform <br />
    8. 8. Mozilla Platform <br />XUL (pronounced "zool") : <br />Mozilla's XML-based language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet. <br /><?xml version="1.0"?><br /><?xml-stylesheethref="chrome://global/skin/" type="text/css"?><br /><window id="vbox example" title="Example 3...."<br />xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"><br /> <vbox><br /> <button id="yes" label="Yes"/><br /> <button id="no" label="No"/><br /> <button id="maybe" label="Maybe"/><br /> </vbox><br /></window><br />
    9. 9. Mozilla Platform <br />XBL:<br />XML-based markup language used to declare the behavior and look of XUL-widgets and XML elements.<br />scrollbar { -moz-binding: url('somefile.xml#binding1'); }<br />-- “binding1” is the id of the binding<br />
    10. 10. Mozilla Platform <br />XPCOM:<br />Cross platform component model from Mozilla.<br />Nerve center of the Mozilla platform.<br />XPCOM has some Similarity to CORBA and Microsoft COM. <br />
    11. 11. Important Components of Mozilla Platform<br />
    12. 12. Mozilla Platform<br />
    13. 13. Attacking Firefox !<br />Now that we have seen the basic Architecture now for some Fun  <br />
    14. 14. Extensions<br />Extensions Add functionality to Firefox, Thunderbird and Sea-monkey.<br />Sample Files inside a XPI file<br />exampleExt.xpi:<br /> /install.rdf <br /> /components/* <br /> /components/cmdline.js <br /> /defaults/<br /> /defaults/preferences/*.js <br /> /plugins/* <br /> /chrome.manifest<br /> /chrome/icons/default/* <br /> /chrome/<br /> /chrome/content/<br />
    15. 15. Malicious Extensions<br />We will build a Malicious Extension which will <br />Log all Key Strokes and Send Remotely<br />Execute Native Code<br />Crack Stored passwords <br />Add malicious site to No Script.<br />DEMO<br />
    16. 16. Interesting Finds<br />In Course of this presentation I found some interesting finds some have been previously discussed but here they are again ! <br />
    17. 17. XCS<br /><ul><li>Cross Context Scripting is art of injecting malicious content into trusted Chrome Zone.
    18. 18. XCS injections occur from untrusted to trusted zone.
    19. 19. PDP was the first person to exploit XCS. </li></li></ul><li>Attacking Event & DOM Handlers <br /><ul><li>Events Handlers implement Element properties attributes and Behavior.
    20. 20. DOM Nodes when Dragged and Dropped move the properties attributes and behavior
    21. 21. A extension that trusts copied DOM content be can be subverted by sending malicious content
    22. 22. CreateEvent() DOM function can be used to send malicious content to the extension</li></ul>DEMO<br />
    23. 23. Bypassing Wrappers<br /><ul><li>Multiple wrappers exist in Firefox and are used to protect privileged interfaces, functions and objects.
    24. 24. wrappedJSObject can be used to strip the wrapper protection.</li></ul>DEMO<br />
    25. 25. XBL Injection <br /><ul><li> Extends the functionality of elements.
    26. 26. When an extension makes use of bindings, elements within the bindings are attached to the invoking page.
    27. 27. CSS plays a role in exploiting XBL</li></ul>DEMO<br />
    28. 28. What Should a END User Mind<br />Suspicious single file(s) in extension folder.<br />XPI are Archives can be un-Zipped and checked for any packaged Executables<br />Check the install.rdf for common pitfalls mainly <em:hidden><br />Verify chrome.manifest does not point to other extension folders as it can overwrite functionality.<br />
    29. 29. What Should a Developer Do. <br />That’s a whole Presentation By itself <br />Don’t Bypass Wrappers <br />Don’t Trust content From the Un-Trusted Domain.<br />Don’t use eval()<br />Follow this link : <br />https://developer.mozilla.org/en/Security_best_practices_in_extensions<br />
    30. 30. Tools<br />Firebug <br />XULWebDeveloper<br />XPComViewer<br />Venkman<br />Console2<br />Burp<br />
    31. 31. Last Words <br />We discussed Some Ways subverting the Mozilla Platform <br />This list is not by any means exhaustive<br />There are some strategies like Sandboxes which can be bypassed<br />New features like themes open new avenues ! <br />HTML 5 would definitely be a point to consider (LavaKumar Speech)<br />Last Mozilla is a secure platform but can easily be exploited …. So some care should be considered. <br />
    32. 32. Questions<br />
    33. 33. Thank You <br />prasanna@deadpixel.org<br />

    ×