843946 - (xboz) Firefox Add-on Development Platform Vulnerabilities

Status: RESOLVED FIXED

(Firefox :: General, defect, P1)

Description

[ajin25]

Attachment: Paper on Abusing, Exploiting and Pwning with Firefox Add-ons

Abusing and Exploiting Firefox add-on Security model.JavaScript functions, XPCOM and XPConnect interfaces, technologies like CORS and WebSocket, Session storing and full privilege execution can be abused by a hacker for malicious purposes. The widely popular browser add-ons can be targeted by hackers to implement new malicious attack vectors resulting in confidential data theft and full system compromise. This paper is supported by proof of concept add-ons which abuse and exploits the add-on coding in Firefox 17 and 18. The proof of concept includes the implementation of a Local keylogger, a Remote keylogger, stealing Linux password files, spawning a Reverse Shell, stealing the authenticated Firefox session data, and Remote DDoS attack. All of these attack vectors are fully undetectable against anti-virus solutions and can bypass protection mechanisms.

Comment 1

[Daniel Veditz [:dveditz]]

Thanks for giving us a head's up on the paper. You are quite right that add-ons can do anything Firefox can and that it's dangerous. Installing an add-on is not in any way sandboxed; it is installing software on your machine, no different than installing a plugin like Java or Flash.

Can't really call it a "bug", it's just the way that functionality is defined. To the extent that malicious add-ons exist I would hope that anti-virus treats it as any other malicious software. You're right that they don't always, so getting the word out that they ought to be looking can only be helpful.

I believe you are wrong about A-V not unpacking .xpi files: they CAN do so, they just aren't looking for many malicious add-ons. But for the very few they know about they do detect them. For example, here is the VirusTotal analysis of the example malware FFSniff add-on from http://azurit.elbiahosting.sk/ffsniff/

https://www.virustotal.com/en/file/445b5de204bfc337ed571f406787fe1a39e8fecaf0ea60d61a6c28c1fe834332/analysis/

So "signature-based" seems to work, but they don't seem to have heuristics to detect new "bad stuff" such as the add-ons you wrote.

Comment 2

[ajin25]

Ya actually it's easier to make a malicious add-on. You can make it simply undetectable by tweaking the javascript. And i did hand tested with different anti-virus solutions. most of them didn't unpacked it.

Comment 3

[ajin25]

Also it's easier for anyone to do exploitation with Firefox. I had presented this paper at AppSec AsiaPac Security Conference 2013, South Korea (i didn't made full disclosure). The responses from the delegates seems they are fearing to use firefox even if i told them it's basically happens only if malicious add-ons are there. Still hard to convince them. And at last i explained them about the mitigation strategies to protect from such exploitation with these kind of add-ons.

And if it's not a bug, then it's a design flow to fix.

1. There should be some restrictions on the files that can be accessed by an add-on. It's very clear that stealing "sessionstore.js" which stores the confidential session information is a severe threat. Same applies to reading Linux password file.

2.Why still firefox add-ons can run an executable. that should be depreciated by now, because there is enough programming environment and tools to make add-on development easier. So remove the support for windows executable.

3. And if one add-on can interact and get the values or configs of other add-ons then where is the integrity.

4.Eventhough it's about Add-on exploitations, but still it's related to Firefox.

So as a web developer, information security researcher, i would like to tell you that the Mozilla Platform should be filtered and security architecture should be redefined or redesigned. You got billions of users and never loss there trust.

Comment 4

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

With the adoption of Web Extensions and the deprecation of full add-ons, I think we could call this bug RESOLVED. Dan?