This presentation demonstrates how the Mozilla Firefox browser platform could be exploited by malicious extensions. It shows how extensions have full trust and can access and modify other extensions. It then demonstrates attacks like logging keystrokes, executing native code, and cracking passwords. It also discusses cross-context scripting and other techniques like bypassing wrappers and exploiting XML bindings. The presentation recommends steps users and developers can take to help secure the platform like verifying extension files and privileges.

1. Firefox (in)SecurityPrasanna K Dead Pixel

2. What & Who This presentation demonstrates strength of the Mozilla platform and how some of the features could be Mis-Used by malicious users. This presentation is intended to dispel a common MythFIREFOX is SECURE

3. FirefoxBrowser of the choice for millions Multi Platform Modular and Scalable ! Pluggable Extension Code ! Browser of my Choice 

4. AgendaIntroductionMozilla PlatformAttacking Firefox Malicious ExtensionsXCSSome basic points to watch….That’s All Folks …

5. Introduction

6. Extension Security !Mozilla extension security model is non-existent Extension code is fully trusted by FirefoxVulnerability in extension code might result in full system compromiseNo security boundaries between extensions An extension can silently modify/alter another extension

7. Mozilla Platform Chrome: It could be used to indicate a “Special Trusted Zone” within the Mozilla Platform

8. Mozilla Platform XUL (pronounced "zool") : Mozilla's XML-based language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet. <?xml version="1.0"?><?xml-stylesheethref="chrome://global/skin/" type="text/css"?><window id="vbox example" title="Example 3...."xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <vbox> <button id="yes" label="Yes"/> <button id="no" label="No"/> <button id="maybe" label="Maybe"/> </vbox></window>

9. Mozilla Platform XBL:XML-based markup language used to declare the behavior and look of XUL-widgets and XML elements.scrollbar { -moz-binding: url('somefile.xml#binding1'); }-- “binding1” is the id of the binding

10. Mozilla Platform XPCOM:Cross platform component model from Mozilla.Nerve center of the Mozilla platform.XPCOM has some Similarity to CORBA and Microsoft COM.

11. Important Components of Mozilla Platform

12. Mozilla Platform

13. Attacking Firefox !Now that we have seen the basic Architecture now for some Fun 

14. ExtensionsExtensions Add functionality to Firefox, Thunderbird and Sea-monkey.Sample Files inside a XPI fileexampleExt.xpi: /install.rdf /components/* /components/cmdline.js /defaults/ /defaults/preferences/*.js /plugins/* /chrome.manifest /chrome/icons/default/* /chrome/ /chrome/content/

15. Malicious ExtensionsWe will build a Malicious Extension which will Log all Key Strokes and Send RemotelyExecute Native CodeCrack Stored passwords Add malicious site to No Script.DEMO

16. Interesting FindsIn Course of this presentation I found some interesting finds some have been previously discussed but here they are again !

17. XCSCross Context Scripting is art of injecting malicious content into trusted Chrome Zone.

18. XCS injections occur from untrusted to trusted zone.

19. PDP was the first person to exploit XCS. Attacking Event & DOM Handlers Events Handlers implement Element properties attributes and Behavior.

20. DOM Nodes when Dragged and Dropped move the properties attributes and behavior

21. A extension that trusts copied DOM content be can be subverted by sending malicious content

22. CreateEvent() DOM function can be used to send malicious content to the extensionDEMO

23. Bypassing WrappersMultiple wrappers exist in Firefox and are used to protect privileged interfaces, functions and objects.

24. wrappedJSObject can be used to strip the wrapper protection.DEMO

25. XBL Injection Extends the functionality of elements.

26. When an extension makes use of bindings, elements within the bindings are attached to the invoking page.