CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabil

Talk about internet security, computer security, personal security, your social security number...
Post Reply
User avatar
therube
Ambassador
Posts: 7404
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabil

Post by therube » Mon Apr 04, 2016 2:12 pm

"CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities"

PDF: https://www.internetsociety.org/sites/default/files/blogs-media/crossfire-analysis-firefox-extension-reuse-vulnerabilities.pdf

http://webcache.googleusercontent.com/search?q=cache:iqxV39x0NzEJ:https://www.internetsociety.org/sites/default/files/blogs-media/crossfire-analysis-firefox-extension-reuse-vulnerabilities.pdf%2BExtension-reuse+extensions&oe=utf-8&rls=org.mozilla:en-US:unofficial&client=seamonkey-a&hl=en&&ct=clnk

VII. CONCLUSIONS
In this paper, we introduced a novel class of attacks
stemming from extension-reuse vulnerabilities, which arises
from the lack of isolation between Firefox extensions, and
results in capability leaks through global identifiers defined
in the shared JavaScript namespace of the browser.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 SeaMonkey/2.40

barbaz
Senior Member
Posts: 9138
Joined: Sat Aug 03, 2013 5:45 pm

Re: CrossFire: An Analysis of Firefox Extension-Reuse Vulner

Post by barbaz » Mon Apr 04, 2016 3:30 pm

What makes this so special? What qualifies this as an attack?
The whole idea of the current extensions system is that extensions have the same privileges as the browser itself.

(And I've used this type of hackery in the past for my own extensions, posting publicly what I'm doing, and no one called me a haxxor for it...)


ETA
Plus, a malicious extension could itself include code to do exactly whatever the reused code does, and it'd be the same result either way... so what makes the "vulnerability" here?
*Always* check the changelogs BEFORE updating that important software!
-

GWG
Posts: 7
Joined: Sun Mar 20, 2016 7:23 pm

NoScript and Malware problem identified???

Post by GWG » Mon Apr 04, 2016 4:49 pm

"Top Firefox extensions can hide silent malware using easy pre-fab tool" NoScript was specifically mentioned as vulnerable in todays' article. "The extensions vulnerable to the 255 reuse exploits found included NoScript with 2.5 million users, Video DownloadHelper with 6.5 million users, and GreaseMonkey with 1.5 million users. Adblock Plus with its 22 million users was unaffected."

http://www.theregister.co.uk/2016/04/04/top_firefox_extensions_can_hide_silent_malware_using_easy_prefab_tool/

Could we have a comment from No Script dev please.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
therube
Ambassador
Posts: 7404
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: CrossFire: An Analysis of Firefox Extension-Reuse Vulner

Post by therube » Mon Apr 04, 2016 5:52 pm

> What makes this so special? What qualifies this as an attack?

Well, I suppose nothing actually.
Only that a "clean" extension could potentially piggy-back, for nefarious reasons, onto a different (truly clean) extension.
But really what it points out is the failing in using global variables (as a particular point) rather then variables local to a particular procedure.

There was a GREAT article in that respect, I think from Oracle Magazine, May/June 2015, Tom Kyte... yeah, that was it... (now let me see if I can find it online)...

That was easy, On More-Secure Applications.
(What takes 5 pages in paper form, is only "one" page, electronically. And yes what he says deals with a specific product, but the concepts apply [should apply] everywhere.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 SeaMonkey/2.40

barbaz
Senior Member
Posts: 9138
Joined: Sat Aug 03, 2013 5:45 pm

Re: CrossFire: An Analysis of Firefox Extension-Reuse Vulner

Post by barbaz » Mon Apr 04, 2016 6:07 pm

therube wrote:> What makes this so special? What qualifies this as an attack?

Well, I suppose nothing actually.
Only that a "clean" extension could potentially piggy-back, for nefarious reasons, onto a different (truly clean) extension.
But really what it points out is the failing in using global variables (as a particular point) rather then variables local to a particular procedure.

Well then in that case the "fix" that Mozilla will implement is WebExtensions.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript and Malware problem identified???

Post by Giorgio Maone » Tue Apr 05, 2016 5:01 pm

GWG wrote:Could we have a comment from No Script dev please.

I tweeted here about this.
I'll just add that, if anything, this points out that the editorial process should be more careful: if you don't immediately understand what a certain piece of code does, and surely it's the case for

Code: Select all

noscriptBM.placesUtils.__ns.__global__.ns.
loadErrorPage(window[1], $url);

-- just assume it's malicious.
Another related tweet, to complete the picture.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

tinstaafl
Posts: 4
Joined: Fri Jan 29, 2016 7:57 pm

Re: CrossFire: An Analysis of Firefox Extension-Reuse Vulner

Post by tinstaafl » Tue Apr 05, 2016 11:53 pm

Will it be necessary to re-write the NoScript extension for the upcoming Mozilla WebExtensions API?
Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: CrossFire: An Analysis of Firefox Extension-Reuse Vulner

Post by Thrawn » Wed Apr 06, 2016 12:26 am

======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

tinstaafl
Posts: 4
Joined: Fri Jan 29, 2016 7:57 pm

Re: CrossFire: An Analysis of Firefox Extension-Reuse Vulner

Post by tinstaafl » Wed Apr 06, 2016 6:36 pm

Thrawn wrote:https://hackademix.net/2015/08/22/webextensions-api-noscript/

https://hackademix.net/2016/03/09/webrequest-where-were-where-were-going/


Thanks for the links. I learned something today! The news articles made it sound like this issue was suddenly newly discovered. And it may take a few users by surprise, even though many devs have been aware for a while.

I am encouraged to see that Giorgio is taking a lead role on this issue, and that the future of NoScript looks bright :-)
Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: CrossFire: An Analysis of Firefox Extension-Reuse Vulner

Post by Thrawn » Thu Apr 07, 2016 1:20 am

barbaz wrote:What makes this so special? What qualifies this as an attack?
...a malicious extension could itself include code to do exactly whatever the reused code does, and it'd be the same result either way... so what makes the "vulnerability" here?

The special part is that by piggybacking on another extension, the malicious code may be able to avoid doing anything obviously dangerous, and thus avoid detection in Mozilla reviews.

So it's not really a weakness in NoScript, or other extensions; it's a weakness in AMO.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

barbaz
Senior Member
Posts: 9138
Joined: Sat Aug 03, 2013 5:45 pm

Re: CrossFire: An Analysis of Firefox Extension-Reuse Vulner

Post by barbaz » Mon Apr 11, 2016 3:02 pm

*Always* check the changelogs BEFORE updating that important software!
-

User avatar
cartel
Junior Member
Posts: 46
Joined: Sun Jul 14, 2013 11:31 pm

Re: CrossFire: An Analysis of Firefox Extension-Reuse Vulner

Post by cartel » Wed Aug 03, 2016 1:39 am

What does this mean for noscript users?
Am I open for attack using noscript.

I'm confused :oops:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0

barbaz
Senior Member
Posts: 9138
Joined: Sat Aug 03, 2013 5:45 pm

Re: CrossFire: An Analysis of Firefox Extension-Reuse Vulner

Post by barbaz » Wed Aug 03, 2016 2:24 am

cartel wrote:What does this mean for noscript users?

Nothing.

cartel wrote:Am I open for attack using noscript.

No.

cartel wrote:I'm confused

If you set fire to the gasoline in your car, that makes your car vulnerable to being engulfed in flames.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: CrossFire: An Analysis of Firefox Extension-Reuse Vulner

Post by Thrawn » Mon Nov 28, 2016 12:34 am

barbaz wrote:If you set fire to the gasoline in your car

Or for a closer analogy - if you leave someone untrustworthy in possession of your car, then s/he can set fire to the gasoline and thus destroy your car without the need to bring his/her own explosives. Of course, even with some kind of non-explosive fuel, you'd still have big problems in this situation.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

Post Reply