View
3.342
Download
1
Category
Tags:
Preview:
Citation preview
Ajin Abraham
Vimal Jyothi Engineering CollegeCS101
FORCHSUNG 2014
Abusing Exploiting and Pwning with Firefox
Addons.
AGENDA
Introduction Firefox Add-on Structure Firefox Add-on Security Model Exploiting the Weakness Proof of Concept. Techniques used by attackers for Spreading the Add-on. Mitigation Conclusion
INTRODUCTION
Firefox is an awesome Web Browser.
Second most used browser according to w3schools.
Add-on makes it more awesome.
Firefox supports variety of languages for add-on development.
JavaScript with XPConnect, XUL, js-ctypes etc.Google Chrome
Mozilla Firefox
Internet Explorer 3
Apple Safari
Opera
0 10 20 30 40 50
Browser Usage Sta-tistics
Add-on Structure
Bare Minimum Requirements for a Firefox Add-on.
Add-on Structure
chrome.manifest: Register the location of the contents with the Chrome engine.
overlay.xul: XML User Interface defines the GUI.
install.rdf: Gives general information about the add-on.
overlay.js: This file consists of the scripts that runs in the browser engine.
Firefox Add-on Security Model
Absolutely no mechanisms to restrict the privileges of add-on.
Add-on code is fully trusted, not much security checks.No restrictions on Inter Add-on Communication.There is no sandboxing or isolation of the running codes.No restrictions on malicious Cross Origin Resource Sharing.
The Mozilla Platform
Exploitable Features
Abuse “document.addEventListener();” = Keylogger
Abuse File I/O of XPConnect = Read from a confidential file, Run an executable
Hook scripts into Firefox Engine = Access to everything in the Webpages.
No restrictions of Add-on Privileges = Make changes to files, Grab session data.
Abuse XHR object = Exchange of commands/data between a victim and hacker.
By abusing CORS and WebSocket = DDoS
Remote Keylogger
Platform independent Keylogger add-on.
It is implemented by abusing JavaScript.
It hooks into the browser interface and capture the keystrokes from all the tabs and send it to a php script for processing.
Bypass anti-keyloggers like KeyScrambler and On Screen Keyboards.
Undetectable against Anti-Virus Solutions.
Bypassing KeyScrambler
Executable Dropper & TCP Reverse Shell
We can embed and execute an EXE file from an add-on.
This add-on is embedded with an executable reverse shell.
Here we abuse the Process and Thread management features of XPConnect to execute a reverse shell.
Later an attacker will listen to this reverse TCP connection and execute system commands.
Most AV’s wont detect since the executable is packed inside the Add-on file.
Code Sample
Session Stealer
Firefox is having a built-in Session Store feature that saves your session data in a file named "sessionstore.js".
Stealing that file will steal the entire session.
Attacker can upload the “sessionstore.js” file to an FTP account.
AV’s won’t detect.
Linux Password Stealer
Abuse XPConnect and read the Linux Password files (passwd and shadow).
With XHR Object the content is send to the remote attacker.
AV’s Won’t detect.
Distributed Denial of Service
Abuse the CORS and WebSocket = DDoS
Firefox does not impart any restrictions on Cross Domain requests.
WebSocket --> numerous Socket connections.
XHR Object -->numerous GET requests with a fake parameter and random values.
'Access-Control-Allow-Origin' header bypassed.
Zero Detection.
Code Sample
Techniques Used By Attackers for Spreading
Crafted webpage with add-on installation as the minimum requirement
Social Engineering
Cross Site Scripting
Tabnabbing
Mitigation
Never trsust 3rd party addons.
Update Firefox to latest stable build.
Keep a good and regularly updated Anti-Virus & Firewall solutions.
Keylogger Beater Add-on
Reverse and analyze the code.
Disable Session data storing in Firefox.
about:config => browser.sessionstore.resume_from_crash => false
Don’t run Firefox with root privilege.
Use a safe and configured proxy to block reverse TCP and FTP connections
The DDoS attempts can be effectively blocked by analyzing, restricting, and filtering COR's Orgin Header.
Conclusion
Firefox is great platform with wonderful capabilities to start coding, same applies to abusing too.
So i had demonstrated the weakness of Firefox Security Architecture with the POC Add-ons.
AV's are helpless and Filters are Bypassed.
Now it's the part of AV's and Firefox Team to make your browsing environment more secure.
Thank YouAjin Abraham ajin25@gmail.com
http://opensecurity.in
There’s no such thing as a “safe system” – only safer systems.
Recommended