Abusing Firefox Addons

Talk about internet security, computer security, personal security, your social security number...
Post Reply
mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

Abusing Firefox Addons

Post by mik33mik » Tue May 26, 2009 6:10 pm

Defcon 17

Abusing Firefox Addons
Roberto Suggi Liverani Senior Security Consultant, Security-Assessment.com
Nick Freeman Security Consultant, Security-Assessment.com

Hundreds of Firefox addons are created every week. Millions of users download them. Some addons are even recommended by the Mozilla community, and users implicitly trust them. We don't trust a single one, and we will show you why.

This talk details how we have abused some of the most popular and recommended Firefox addons, with previously unreleased vulnerabilities. From the Mozilla download statistics, over 15 million users are potentially affected. Demos will cover remote code execution, local file disclosure and other tailored Firefox Addon exploits.

Don't panic - the Addons manager can be found under the 'Tools' tab in your Firefox menu. We expect to see a lot of people clicking the "Uninstall" button after this presentation.

Roberto Suggi Liverani is a senior security consultant for Security-Assessment.com. He is the founder and leader of the OWASP (Open Web Application Security Project) in New Zealand. Roberto has worked with companies such as Google, Oracle and Opera by reporting and helping to fix security vulnerabilities in their products. Roberto is the co-author of the most recent OWASP Testing Guide and has spoken at various security conferences around the globe.

Nick Freeman is a security consultant at Security-Assessment.com, based in Auckland, New Zealand. After a couple of years of building systems for companies he has turned to breaking them instead, and spends his spare time searching for shells and the ultimate combination of whisky and bacon.


:shock:
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Abusing Firefox Addons

Post by Giorgio Maone » Tue May 26, 2009 8:42 pm

This is not a surprise.
It already happened, e.g. with GreaseMonkey and Firebug.
Add-ons are allmighty in the browser, therefore coding them in a secure way is not a trivial task.

That's one of the reasons why Mozilla recently launched Jetpack, a simplified and sandboxed platform allowing fast development of less-powered extensions (like GreaseMonkey scripts with UI, or the initial Chrome extension proposal).

More complex extensions like NoScript, or those which need to interact with the underlying system like FlashGot, still need the "old" model, though, and do need to be coded more carefully.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Abusing Firefox Addons

Post by GµårÐïåñ » Tue May 26, 2009 9:47 pm

This is nothing new and that's why most will look at the source and see what it does and how before trusting it blindly. I don't trust the AMO recommended at all, since it often promotes extensions that have not been updated for a long time or have bad reviews against them or lack support. I have expressed this to them but they don't care, they don't even reply. The are working on the model of Fee = Crap = We Don't Care and this is why the reviews can be abused and violate policy and no one does anything. Now I know its volunteer based and this and that but the fact is that they are happy to put their name on it but won't take any steps to protect it, simply put it comes to the user to do.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Abusing Firefox Addons

Post by Tom T. » Wed May 27, 2009 3:46 am

GµårÐïåñ wrote:This is nothing new and that's why most will look at the source and see what it does and how before trusting it blindly.

GµårÐïåñ, please keep in mind that most users' knowledge is a grain of sand on the beach compared to your education, experience, and knowledge. I sincerely doubt that very many users look through the source code of every add-on they install. I certainly didn't look through NS's 25-50,000 lines (SWAG) or 1.4 MB of code before installing. Articles in tech magazines and the subsequent support of the United States Department of Homeland Security's Computer Emergency Readiness Team gave me full confidence in this program and its developer long before I got to know him. That is about the best most of us can do.
I don't trust the AMO recommended at all, since it often promotes extensions that have not been updated for a long time or have bad reviews against them

OTOH, I can think of a "certain" add-on that was spammed with negative reviews from one sector. Reviews can be helpful, but those, too, you have to vet yourself as to credibility of the poster, etc.
but the fact is that they are happy to put their name on it but won't take any steps to protect it, simply put it comes to the user to do.

But just the other day, Alan pointed out the lag in latest stable build of NS on NS home page and the time lag to have it on AMO, saying that a trusted AMO editor had to review it first. Can you square this discrepancy for me, please? TIA as always.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Abusing Firefox Addons

Post by GµårÐïåñ » Wed May 27, 2009 5:34 am

Tom T. wrote:GµårÐïåñ, please keep in mind that most users' knowledge is a grain of sand on the beach compared to your education, experience, and knowledge. I sincerely doubt that very many users look through the source code of every add-on they install. I certainly didn't look through NS's 25-50,000 lines (SWAG) or 1.4 MB of code before installing. Articles in tech magazines and the subsequent support of the United States Department of Homeland Security's Computer Emergency Readiness Team gave me full confidence in this program and its developer long before I got to know him. That is about the best most of us can do.


I am sorry, I didn't mean it to come across as is sounded. I meant that when enough people like me do it, it will ultimately expose it for the users who have less knowledge of it. Granted, most of the reason I do it is because I am anal retentive paranoid SOB, but it does ultimately end up serving others because most of us also don't keep quite when we find something. Especially if we go to the developer and ask them and they DON'T fix it right away and make it right. You remember our private M$ conversation, right? If they fix it, there is no issue but when they don't, then a more public nudge is needed to demonstrate resolve.

OTOH, I can think of a "certain" add-on that was spammed with negative reviews from one sector. Reviews can be helpful, but those, too, you have to vet yourself as to credibility of the poster, etc.


Believe it or not the whole negative and FUD campaign against NS was the straw that broke the camel's back for me. I vet everything for myself you know that but as you mentioned the less experienced users, a company like Mozilla blindly puts their seal of approval on it, and the user won't think twice to check until they are stuck with problems and no way to get support.

But just the other day, Alan pointed out the lag in latest stable build of NS on NS home page and the time lag to have it on AMO, saying that a trusted AMO editor had to review it first. Can you square this discrepancy for me, please? TIA as always.


No offense to Alan and every offense to Mozilla, they don't look at squat and they don't do anything other than just let it sit there until they get around to pressing release. If they did, so much crap would not make its way to the boards until negative outrage brings attention to it and THEN they do something about it after the fact. The fact is that the system is not only broken but flawed to say the least. Anyway, you know my passions run hot on this subject, so I will end it before I say something I have to apologize for later.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

Re: Abusing Firefox Addons

Post by mik33mik » Fri Aug 07, 2009 5:23 pm

Hi Giorgio, have you read the presentation?

NoScript has been mentioned in a negative way in this paper:

-NoScript/AdBlockPlus provides false sense of security
-chrome:// URI whitelisted on NoScript, any XSS injection there is not blocked

Any input rendered in chrome is a potential XSS injection point
NoScript Can’t Save You Now:
- NoScript is in the same security zone as the extension
- chrome:// URI is whitelisted by NoScript


I think this need a public reply, perhaps on your blog...

PS
this is another guy that claim he can bypass NoScript:
viewtopic.php?f=19&t=1526#p5483
http://www.wilderssecurity.com/showpost ... stcount=23
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10

User avatar
therube
Ambassador
Posts: 7408
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Abusing Firefox Addons

Post by therube » Fri Aug 07, 2009 6:31 pm

Full thread, http://www.wilderssecurity.com/showthre ... ost1516839. Can't really comment on that one though cause you don't know of what they speak.

In another thread, that recent hacking event also purported to expose some vulnerablility?

There can also be (more general Mozilla) security considerations too, in which case he may not be able to reply even though he's aware.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

Post Reply