Firefox (in)Security

Prasanna K
What & Who
This presentation demonstrates
strength of the Mozilla platform and
how some of the features could be
Independent
IndependentSecurity
SecurityResearcher
Researcher
Mis-Used by malicious users.
This presentation is intended DeadPixel
DeadPixelGroup
Group
to dispel a common Myth
Enjoy
EnjoyPython
Pythonand
andrarely
rarelyCC

FIREFOX is SECURE That

ThatShould
Shouldbe
beenough
enoughRight
Right! !
Firefox

 Browser of the choice for millions

 Multi Platform
 Modular and Scalable !
 Pluggable Extension Code !
 Browser of my Choice 
Agenda

 Introduction
 Mozilla Platform
 Attacking Firefox
 Malicious Extensions
 XCS
 Some basic points to watch….

 That’s All Folks …

Introduction
Extension Security !

 Mozilla extension security model is non-

existent Extension code is fully trusted by
Firefox
 Vulnerability in extension code might result in
full system compromise
 No security boundaries between extensions
An extension can silently modify/alter
another extension
Mozilla Platform

Chrome:
It could be used to indicate a
“Special Trusted Zone” within the URL
URLScheme
Scheme“chrome://”
“chrome://”
Mozilla Platform
Extensions
Extensionsare
areChrome
ChromePackages
Packages

XUL,
XUL,XBL,
XBL,CSS,
CSS,JavaScript,
JavaScript,DTD,
DTD,images
images
 Mozilla Platform
XUL (pronounced "zool") :
Mozilla's XML-based language that lets
you build feature-rich cross platform
applications that can run connected or
disconnected from the Internet.
XML
XMLUser
UserInterface
InterfaceLanguage
Language
<?xml version="1.0"?>
<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
<window id="vbox example" title="Example 3...." Extension
ExtensionUser
UserInterface
Interface....
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<vbox>
<button id="yes" label="Yes"/>
<button id="no" label="No"/>
<button id="maybe" label="Maybe"/>
</vbox>
</window>
Mozilla Platform
XBL:
XML-based markup language used
to declare the behavior and look of
XUL-widgets and XML elements. XBL
XBLvv2.0
2.0

scrollbar { -moz-binding: Root

RootElement
Element: :<bindings>
<bindings>
url('somefile.xml#binding1'); }
-- “binding1” is the id of the binding Assigned
Assignedvia
via: :"-moz-binding”
"-moz-binding”
Mozilla Platform
XPCOM:
Cross platform component model
from Mozilla.
XPCONNECT : JavaScript based glue to connect users
XPCONNECT : JavaScript based glue to connect users
and Database
and Database

Nerve center of the Mozilla

platform. Provides
ProvidesComponents
Componentsand
andclasses
classesfor
for“Memory,
“Memory,
File…. Etc”
File…. Etc”

XPCOM has some Similarity to

XPCONNECT is the JS frontend to underlying XPCOM
XPCONNECT is the JS frontend to underlying XPCOM
CORBA and Microsoft COM.
Important Components of Mozilla
Platform
Gecko

Necko

Web Services

Open & Common Standards Like LDAP DTD SQL

….. etc
Mozilla Platform
Attacking Firefox !

Malicious Extensions

XCS
Now that we have seen
the basic Architecture Bypassing Wrappers
now for some Fun 
XBL Injection
Attacking XPCOM
Extensions
Extensions Add functionality to
Firefox, Thunderbird and Sea-
Extensions (XPI) = Archive of files
Extensions (XPI) = Archive of files
monkey.

Sample Files inside a XPI file

exampleExt.xpi:

/install.rdf
XUL
XULOverlay
Overlayisisway
wayofofattaching
attachingXUL
XULtotoexisting
existing
/components/* Firefox XUL
Firefox XUL
/components/cmdline.js

/defaults/

/defaults/preferences/*.js

/plugins/*

/chrome.manifest

/chrome/icons/default/*
Easily
EasilyDistributable
Distributable
/chrome/

/chrome/content/
Malicious Extensions

We will build a Malicious Extension

which will

1.
2.
Log all Key Strokes and Send Remotely
Execute Native Code
DEMO
3. Crack Stored passwords
4. Add malicious site to No Script.
Interesting Finds

A Single file can install a extension

A Single file can install a extension

In Course of this presentation

I found some interesting
finds some have been IFIFGUID
GUIDisissame
samenew
newextension
extensionreplaces
replacesthe
the
old
old
previously discussed but here
they are again !

Most interesting find : extension cant be hosted on

Most interesting find : extension cant be hosted on
network but what about MAP DRIVE
network but what about MAP DRIVE
XCS

Attacking Event & DOM Handlers

Attacking Event & DOM Handlers

•Cross Context Scripting is art of

injecting malicious content into trusted
Chrome Zone. Bypassing
BypassingWrappers
Wrappers

•XCS injections occur from untrusted to

trusted zone.
•PDP was the first person to exploit XCS.
Attacking
AttackingXBL
XBL
Attacking Event & DOM Handlers

•Events Handlers implement Element

properties attributes and Behavior.
•DOM Nodes when Dragged and Dropped
move the properties attributes and behavior
•A extension that trusts copied DOM content
be can be subverted by sending malicious
content
•CreateEvent() DOM function can be used to
DEMO
send malicious content to the extension
Bypassing Wrappers

•Multiple wrappers exist in Firefox and are

used to protect privileged interfaces,
functions and objects.
• wrappedJSObject can be used to strip the
wrapper protection.

DEMO
XBL Injection

• Extends the functionality of

elements.
•When an extension makes use of
bindings, elements within the
bindings are attached to the DEMO
invoking page.
•CSS plays a role in exploiting XBL
What Should a END User Mind

 Suspicious single file(s) in extension folder.

 XPI are Archives can be un-Zipped and
checked for any packaged Executables
 Check the install.rdf for common pitfalls
mainly <em:hidden>
 Verify chrome.manifest does not point to
other extension folders as it can overwrite
functionality.
What Should a Developer Do.

 That’s a whole Presentation By itself

 Don’t Bypass Wrappers
 Don’t Trust content From the Un-Trusted
Domain.
 Don’t use eval()
 Follow this link :

https://developer.mozilla.org/en/Security_best_practices_in_extension
s
Tools

 Firebug
 XULWebDeveloper
 XPComViewer
 Venkman
 Console2
 Burp
Last Words

 We discussed Some Ways subverting the Mozilla

Platform
 This list is not by any means exhaustive
 There are some strategies like Sandboxes which can
be bypassed
 New features like themes open new avenues !
 HTML 5 would definitely be a point to consider
(LavaKumar Speech)
 Last Mozilla is a secure platform but can easily be
exploited …. So some care should be considered.
Questions
 Thank You

prasanna@deadpixel.org