Firefox is an awesome web browser by Mozilla foundation. It is used by millions of people all around the world. According to w3shools.com Firefox stands second in world in terms of usage.
It got millions of feature rich add-ons to meet ones needs and taste. Add-ons are small pieces of software that adds new features or functionality to the Firefox browser. It extends, modify and control browser behavior. Firefox got a lot of developers devoted in add-on development around the world. To help the developers to carry out add-on development in an easier way, Firefox supports variety of powerful languages for add-on development.
Firefox add-on Structure
An add-on is just a zipped file with its extension (.zip) changed to (.xpi).
The Fig. 2 shows the structure of a Firefox add-on. This structuring of the components of the add-on is conventional. It’s not mandatory that one should follow this structuring. But the essential and bare minimal files for developing an add-on are “chrome.manifest”, “install.rdf”,overlay.xul” and “overlay.js”.
Purpose of these files is as follows:
chrome.manifest: Registers the location of the contents with the Chrome engine.
overlay.xul: this file defines the GUI elements to be added to the browser window.
install.rdf: Gives general information about the extension like name, description version etc. overlay.js: This file consists of the scripts/codes that run in the browser engine.
Firefox Add-on Security Model
The Firefox platform has no mechanisms to restrict the privileges of add-ons. The add-on code is fully trusted by Firefox. The installation of malicious add-ons can result in full system compromise. There is no security measure to restrict the intercommunication between add-ons. As a result an add-on can alter or modify another add-on in the background. There is no security policy or sandboxing ability of XPConnect and XPCOM components which is a serious flaw in the security model. Firefox does not have any type of restrictions on malformed Cross Origin Resource Sharing and socket creation. Some exploitable vulnerabilities are platform independent.
However add-ons.mozilla.org where add-ons are officially hosted, perform reviews of all add-ons submitted. Add-ons with malicious functionality will be rejected in the review, same goes for add-ons executing remote code. An extension on add-ons.mozilla.org can have three states:
- Fully reviewed: the add-on passed the review without any serious issues.
- Preliminarily reviewed: the add-on was found to be safe to use but has serious issues or simply isn’t mature enough yet.
- Not reviewed: the add-on has only been submitted recently and not reviewed yet, use at your own risk.
Even though it’s possible to host a malicious add-on in Firefox add-ons website, but it is not under the scope of this paper. We will only discuss about some methods through which we can abuse add-on coding technologies to build malicious add-ons and methods used by hackers to spread them.
Exploitable Features of Firefox add-on Coding
Figure 3: The Mozilla Platform
Add-ons are the best part of Firefox. Firefox got feature rich and extensible add-on support.
Exploiting the Weakness
So now consider some of the exploiting scenario.
- We can pack and execute malicious Windows executable (.exe) files by abusing the File I/O operations supported by XPConnect.
- We can hook malicious codes into the Firefox browser interface and execute them every time the browser loads.
- We can steal Firefox session data with malicious add-on.
- Add-ons can access the contents of confidential files in the system without any restrictions.
- With XHR object we can exchange data between the victim and the server.
- By abusing CORS and WebSocket we can shot numerous bogus requests to DDoS a Web Site.
Proof of Concept (PoC)
To demonstrate the potential security risk caused by malicious Firefox add-ons, I had implemented some proof of concept add-ons.
- Xenotix Remote Keylogger
- Xenotix Session Stealer
- Xenotix Linux Password Stealer
- Xenotix Reverse Connect
All of these add-ons are fresh and fully undetectable against Anti-virus solutions.
It is a Keylogger add-on for Mozilla Firefox which can capture keystrokes and log it into a file. It can hook into the browser interface and capture keystrokes from all the opened tabs in Firefox.
Figure 4: Abusing Javascrypt Function
Figure 5: Virus Total results of XenoticKeylogX
Bypass Anti-Keylogger and On-Screen Keyboard
The keylogger add-on can bypass Windows On-Screen Keyboard and KeyScrambler.
KeyScrambler is an Anti-Keylogging mechanism which simultaneously encrypts the keystrokes at the keyboard driver level and decrypts them at the destination application for which the keystrokes are made. The Keylogger add-on described here can by bypass KeyScrambler protection mechanism.
Figure 6: How XenoticKeylogX bypass KeyScambler, the anti-keylogger mechanism
The Fig 6 depicts the working of a normal keylogger, protection mechanism of KeyScrambler against Keyloggers and bypassing KeyScrambler protection mechanism with XenotixKeylogX add-on.
A normal software based keylogger will hook into the environment between keyboard inputs and the applications running on the system. So they can collect the keystrokes passing through the environment. KeyScrambler is an anti-keylogger which encrypts all the keystrokes at keyboard driver level, deep inside the kernel. So when the encrypted data passes through the environment which is hooked by the Keylogger, they render useless since the captured data is completely encrypted. Finally KeyScrambler will decrypt the keystrokes at the destination application for which the keystrokes are produced. Now consider the scenario where XenotixKeylogX add-on is installed in Firefox. As usual KeyScrambler will encrypt the keystrokes and decrypts them before providing to Firefox executable. But since the keylogger add-on is executing inside Firefox, it will obtain all the keystrokes in plain text. So the protection mechanism is bypassed and render useless against this malicious add-on.
Xenotix Remote Keylogger
Figure 7:The add-on will invoke an executable which uploads the log file to a FTP account every 60 seconds.
Here also we exploit the weakness of Firefox that it does not implement any security privilege policy or restrictions on content extraction from webpages and file execution by add-ons. This add-on works only in Windows environment as windows executable is not supported in Linux.
Also the method of invoking a Linux executable file is not supported by XPConnect.
Bypass Anti-Keylogger and On-Screen Keyboard
Xenotix Remote Keylogger can bypass Windows On-Screen Keyboard and KeyScrambler protection in the way mentioned before.
Xenotix Session Stealer
Firefox is having a built-in Session Store feature that saves your session data, including open window and tabs, window size and position, text typed in forms and the session cookies which can maintain your login state in different websites. All these session data information are stored in a file named “sessionstore.js” in the profile folder of Firefox.
Figure 8: The add-on will send the contents of sessionstore.js to the remote attacker
This file is intended for recovery of tabs after a Firefox crash. The “sessionstore.js” file is maintained in such way that Firefox will preserve the session data upon abnormal exit or crash and deletes the session data on a normal exit. A malicious add-on can be implemented by abusing the file management feature of XPConnect and data exchange feature of XmlHttpRequest (XHR) object to read the contents of “sessionstore.js” and send it to the attacker via GET request at specified time intervals. And later the attacker can use the stolen session data file to reproduce the victim’s authenticated session.
Figure 9: The add-on will send contents of session data files to the remote attacker.
This add-on exploits the weakness of Firefox that it does not impart any access restriction on its session data file and the file is compactable with any system and any version of Firefox which provides the attacker the ability to reproduce the session on a remote computer. Also Firefox doesn’t impart any security measure to isolate and lock out the session file for a unique Firefox installation.
Xenotix Linux Password Stealer
Figure 10: Xenotic Linux Password Stealer add-on is implemented by abusing nSIFile Object and XMLHttpRequest
Xenotix Reverse Connect
Figure 11: Reverse Connection from Windows 8 PC
This malicious add-on is packed with a reverse shell that will connect back to the attacker. This add-on abuses the file execution feature of XPConnect to start a reverse shell to an IP and port specified by the attacker. This malicious add-on targets the weakness of Firefox that it lacks privilege restriction and control policy to create and execute processes.
Most Anti-virus solutions won’t scan the packed form (.xpi) of the add-on. Currently the heuristic scans of anti-viruses are not detecting it as a threat. But some anti-virus solutions just warn the user whether to allow the execution or not since it communicate through a reverse TCP communication channel.
Figure 12: DdoS with CORS and WebSocket
This add-on can be used to perform Distributed DoS attack or even just a single instance of the add-on running is enough to take down a low profile web site. The interesting part is that the victim who is running the add-on won’t be able to know that he is part of zombie network hosting a DDoS Attack.
Spreading the Add-ons
Lot of methodologies can be used to spread these malicious add-ons. A webpage that request the user to install an add-on as a basic requirement for accessibility, viewing a video or accessing some contents etc. Social Engineering tricks can be effectively used to spread the malicious add-ons as human stupidity is the greatest vulnerability. By exploiting the Cross Site Scripting vulnerabilities in web applications, malicious add-on can be spread (refer Fig. 13).
Figure 13: Spreading malicious add-on by exploting Cross Site Scripting Vulnerabilities
The given below code can be used by an attacker to spread malicious add-ons via Tabnabbing.
So far I had discussed about the depth and scope of the threats arised by abusing and exploiting Firefox add-ons. Now we will see about some defense strategies.
The first and foremost thing is never trust 3rd party add-ons. Be cautious before installing an add-on. Always use a good and updated Anti-Virus and Firewall solutions. Keylogger Beater is a nice add-on for Firefox to beat Keylogger. Reverse and analyze the source code if you can. Disable session data storing in Firefox to prevent session stealing from Firefox. For configuring it, visit about:config in the URL field of Firefox and set “browser.sessionstore.resume_from_crash” to false. Do not run Firefox from a root privileged account while running on Linux environment. If the user account is a less privileged one then the password files can’t be accessed without privilege and permission. Use a safe and configured proxy server so that it can filter out and block unauthorized reverse TCP and FTP connections.
The DDoS attempts can be effectively blocked by analyzing, filtering and applying some restrictions on the ‘Origin’ header of the all Cross Origin Requests.
I had explained the Mozilla Firefox add-on security model and the weakness in the current architecture which a hacker can abuse. I had implemented and demonstrated the proof of the concept add-ons which successfully exploits security weakness in the Firefox platform. The Antivirus detection rates of all these malicious add-ons are almost zero and protection mechanisms and filters are bypassed. It’s a real threat to the normal people out there. So Anti-virus vendors should identify and eliminate these threats efficiently. And I hope that Mozilla Firefox team will work on these issues to fix them and provides there users a secure browsing environment. Till then from next time onwards, keep an eye on the add-ons before installing them.
- Abusing Firefox Extensions –By Roberto SuggiLiverani& Nick Freeman
- Firefox Security – By PrasannaKanagasabai
- Mozilla Firefox Internals and Attack Strategies http://chmagazine.sagarnangare.net/article/apr2011/mozilla-firefox-internals-attack-strategies
- Building an Extension https://developer.mozilla.org/en-US/docs/Building_an_Extension
- Getting Started with Extension Development http://kb.mozillazine.org/Getting_started_with_extension_development
- Firefox Extension Template http://davidwalsh.name/firefox-extension-template
- Add-on Developer FAQ https://addons.mozilla.org/en-US/developer_faq
- Running Applications https://developer.mozilla.org/en-US/docs/Code_snippets/Running_applications
- XPCOM Interface – nsILocalFile https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsILocalFile#launch()
- File Input/output operation with add-on https://developer.mozilla.org/en-US/docs/Code_snippets/File_I_O#Getting_your_extension.27s_folder
- Add-on Development https://blog.mozilla.org/addons/2009/01/28/how-to-develop-a-firefox-extension/
- XPConnect Interface developer.mozilla.org/en-US/docs/XPConnect
- XPCOM Interface – nsIProcess https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIProcess
- Event Listener https://developer.mozilla.org/en-US/docs/DOM/element.addEventListener
- Firefox Session Restore http://kb.mozillazine.org/Session_Restore
- XMLHTTP Request https://developer.mozilla.org/en-US/docs/DOM/XMLHttpRequest
- XMLHTTP Request http://www.w3schools.com/xml/xml_http.asp
- INTRODUCING WEBSOCKETS: BRINGING SOCKETS TO THE WEB http://www.html5rocks.com/en/tutorials/websockets/basics/
- WebSockets https://developer.mozilla.org/en-US/docs/WebSockets
- Using CORS http://www.html5rocks.com/en/tutorials/cors/
- CORS + WebSocketDDoS Implementation https://github.com/chickenwin/DDoS-chickenwin/blob/master/test.html
- Performing DDoS Attacks with HTML5 http://blog.andlabs.org/2010/12/performing-ddos-attacks-with-html5.html
- HTTP access control (CORS) https://developer.mozilla.org/en/docs/HTTP_access_control