1544315 - Extension Block Request: unlisted add-ons with privileged remote code execution

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, task)

Description

[Rob Wu [:robwu]]

Extension name
Extension versions affected	<all versions>
Platforms affected	<all platforms>
Block severity	hard

Reason

Extensions are capable of executing remote code, and this fact is heavily obfuscated.

Extension IDs

{880cacfe-5793-4346-89ce-fbbd368d394c}
{f0780038-50b9-11e9-9c72-4ba2d8f2ec9f}
{22ffe411-2b0e-11e9-87f9-c329f1f9c8d2}
{cf4bae43-026f-4e7e-a85a-952a7ca697a1}
{17052516-09be-11e9-a008-03419f6c8bc6}
{333fb3de-18a8-18e8-b6d3-e73213911efb}
{aa4abac2-1ffa-12aa-bbdd-9305cb2c1254}
{72222e70-2fd6-11e9-956b-27f7787b8d2d}
{637212d8-3484-11e9-9812-005056b22b42}
{4a222e60-31de-1eca-8476-37565daf6afb}
{7fc6d222-48d5-11e9-b586-17e94c73a1b1}
{e111c358-121b-13fa-bf23-bb57da32d184}
{9674445c-8dff-4580-96b2-99442a7ae9af}

and likely others at crash reports for extensions with the following characteristics:

• manifest.json contains content_security_policy with a https:-URL (script-src[^;]+https:) (the https:-URL is seemingly innocent, such as a CDN URL), and
• Extension has permissions webRequest, webRequestBlocking, storage, webNavigation, <all_urls>.
• Code is heavily obfuscated, which hides the fact that they exploit bug 1544310
• Extension's background script is minified and contains "new TextEncoder()" or "return TextEncoder"
• Extension's JavaScript code does not contain "webRequest".

I recommend to scan all unlisted extensions for the above characteristics (even if they did not appear in the crash reports), and blocklist them. If unsure, I am willing to help assessing whether an extension belongs to this category (having spent hours on the analysis makes it easier to spot similar cases).

EDIT: Expanded the list. The above list of add-ons accounts for 1002 of the crash reports on April, 12th, which matches with my expectations from comment 1.

EDIT2: Expanded the list once again, now based on all files from AMO that match the above query.

• 6612 crash reports in the past week
• 6480 crash reports including one of the above add-ons (EDIT3: after removing already-blocklisted add-ons from the list, there are only 6376 matches)
• The difference is 131, which is similar to the 122 from the previous week, which in turn is higher than the weeks before (at 55, 61, 55, 65, 67 crashes per week).

The following add-on IDs also matched the given criteria, but apparently they've already been blocked.

{8a22255c-4737-11e9-a86b-0bb66337cb31} - bug 1535655
{a9c33302-4c97-11e9-9a9d-af400df725e3} - bug 1538141
{03dfffe0-509f-11e9-aa00-e7e13d49f3de} - bug 1540113
{a9c33302-4c97-11e9-9a9d-af400df725e1} - bug 1539514
{e555c358-121b-13fa-bf23-bb57da32d184} - bug 1540111
{674fff65-6cd0-488a-9453-fb91fc3d7397} - bug 1543924 (in progress).

EDIT3: The following have already been blocklisted, but they still show up in crash reports (48 of them in the past week; not all crashes are attributable to them). I removed them from the original list, leaving the number of crashes covered by the above add-ons at 6376 in the past week.

{ba74c7ee-32b1-11e9-ade5-1f2222a4f325} - bug 1529573
{1c94bc8a-3ac1-12e1-aae7-0b314772229c} - bug 1535655
{3fab603e-3ee1-1222-a859-5f85a3441216} - bug 1535655

Comment 1

[Rob Wu [:robwu]]

(ccing Shane in case you're interested in the precise numbers behind https://bugzilla.mozilla.org/show_bug.cgi?id=1403546#c14 )

The sample query at https://sql.telemetry.mozilla.org/queries/62306/source?p_addonguid_undefined=%7B880cacfe-5793-4346-89ce-fbbd368d394c%7D&p_lastdays_undefined=14 (longer query) shows that the add-on with ID {880cacfe-5793-4346-89ce-fbbd368d394c} started below 2k users and usage shot up to the 50-80k range in just two weeks.

When the remote code execution logic is activated, we sometimes get crash reports due to bug 1403546.
Here are the crash reports for the past day (Sunday, 14 april 2019). To put in context, the statistics are as follows:

10 april and earlier - 0 crashes (2, 16, 24, 32, 34, 41, 51, 60, 69 thousand users per day)
11 april - 51 crashes, 75k users
12 april - 205 crashes, 67k users
13 april - 212 crashes, 53k users
14 april - 176 crashes.

The absence of crash reports on 10 april and earlier may indicate that the extension has obtained users for the first 10 days, and then activated code execution remotely (I also ran a query and verified that the extension version did not change in the measured period).

The three IDs reported above only account for 460 of the crashes on the 13nd, while there were 1022 crashes on that day. Before that, we would only get about 100 per week. So there are likely more (unlisted) extensions from the same devs (not just those three, as expected).

Comment 2

[Paul Theriault [:pauljt] (no longer reading bugmail)]

(In reply to Rob Wu [:robwu] from comment #0)

... for extensions with the following characteristics:

• manifest.json contains content_security_policy with a https:-URL, and
• Extension has permissions webRequest and webRequestBlocking
• Code is heavily obfuscated, which hides the fact that they exploit bug 1544310

I recommend to scan all unlisted extensions for the above characteristics (even if they did not appear in the crash reports), and blocklist them. If unsure, I am willing to help assessing whether an extension belongs to this category (having spent hours on the analysis makes it easier to spot similar cases).

cr are you able to get a list of such extensions that we could review (ie get a list of extensions that match the first two conditions above).

Comment 3

[Rob Wu [:robwu]]

According to Andreas, the list of add-ons for that query is quite large.

I'll work with him to narrow down the results and update here if needed.

Comment 4

[Rob Wu [:robwu]]

I've updated comment 0 with the full list of add-ons, and verified that those are likely all relevant add-ons from April, 12th.

Comment 5

[Rob Wu [:robwu]]

I believe that the list is now complete.

Please proceed with the blocklist request for the GUIDs listed in the bug.

Those account for 6480 crash reports out of 6612 in the past week (in relation to bug 1403546 ).

Comment 6

[Andreas Wagner [:TheOne] [use NI]]

The block has been staged. Philipp, can you please review and push?

Comment 7

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

Done

Comment 8

[[:philipp]]

the following two addons show up prominently in the signature from bug 1403546 still and haven't been blocklisted:
{bbddf452-1a72-4a5d-a833-0416ac7fd76f}
{c65b18e1-cd3d-4773-a901-15a0753e7d81}

i don't have access to their details, so could you take a look if they'd fit into the criteria to be blocked as well?

Comment 9

[Andreas Wagner [:TheOne] [use NI]]

Could we please file a new bug for that? Thanks!

Comment 10

[[:philipp]]

(In reply to Andreas Wagner [:TheOne] [use NI] from comment #9)

Could we please file a new bug for that? Thanks!

yap, sorry...

Comment 11

[Rob Wu [:robwu]]

I don't have access to their source either (Andreas can take a look). From the TelemetryEnvironment field at the "Metadata" tab of a crash report with the add-ons from comment 8, I can see the names:

"{bbddf452-1a72-4a5d-a833-0416ac7fd76f}":{"version":"7.2.2","scope":1,"type":"extension","updateDay":18010,"isSystem":false,"isWebExtension":true,"multiprocessCompatible":true,"blocklisted":false,"description":null,"name":"AV Scanner","userDisabled":false,"appDisabled":false,"foreignInstall":false,"hasBinaryComponents":false,"installDay":18010,"signedState":2}},

"{c65b18e1-cd3d-4773-a901-15a0753e7d81}":{"version":"0.3","scope":1,"type":"extension","updateDay":17978,"isSystem":false,"isWebExtension":true,"multiprocessCompatible":true,"blocklisted":false,"description":"PrincipalInterceptor plugin for Firefox","name":"PrincipalInterceptor","userDisabled":false,"appDisabled":false,"foreignInstall":false,"hasBinaryComponents":false,"installDay":17978,"signedState":2}