This is my Presentation on Firefox Security I presented @ ClubHack 2010

1. Firefox (in)Security Prasanna K Dead Pixel

2. What & Who This presentation demonstrates strength of the Mozilla platform and how some of the features could be Mis-Used by malicious users. This presentation is intended to dispel a common Myth FIREFOX is SECURE

3. Firefox Browser of the choice for millions Multi Platform Modular and Scalable ! Pluggable Extension Code ! Browser of my Choice 

4. Agenda Introduction Mozilla Platform Attacking Firefox Malicious Extensions XCS Some basic points to watch…. That’s All Folks …

5. Introduction

6. Extension Security ! Mozilla extension security model is non-existent Extension code is fully trusted by Firefox Vulnerability in extension code might result in full system compromise No security boundaries between extensions An extension can silently modify/alter another extension

7. Mozilla Platform Chrome: It could be used to indicate a “Special Trusted Zone” within the Mozilla Platform

8. Mozilla Platform XUL (pronounced "zool") : Mozilla's XML-based language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet. <?xml version="1.0"?> <?xml-stylesheethref="chrome://global/skin/" type="text/css"?> <window id="vbox example" title="Example 3...." xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <vbox> <button id="yes" label="Yes"/> <button id="no" label="No"/> <button id="maybe" label="Maybe"/> </vbox> </window>

9. Mozilla Platform XBL: XML-based markup language used to declare the behavior and look of XUL-widgets and XML elements. scrollbar { -moz-binding: url('somefile.xml#binding1'); } -- “binding1” is the id of the binding

10. Mozilla Platform XPCOM: Cross platform component model from Mozilla. Nerve center of the Mozilla platform. XPCOM has some Similarity to CORBA and Microsoft COM.

11. Important Components of Mozilla Platform

12. Mozilla Platform

13. Attacking Firefox ! Now that we have seen the basic Architecture now for some Fun 

14. Extensions Extensions Add functionality to Firefox, Thunderbird and Sea-monkey. Sample Files inside a XPI file exampleExt.xpi: /install.rdf /components/* /components/cmdline.js /defaults/ /defaults/preferences/*.js /plugins/* /chrome.manifest /chrome/icons/default/* /chrome/ /chrome/content/

15. Malicious Extensions We will build a Malicious Extension which will Log all Key Strokes and Send Remotely Execute Native Code Crack Stored passwords Add malicious site to No Script. DEMO

16. Interesting Finds In Course of this presentation I found some interesting finds some have been previously discussed but here they are again !

18. XCS injections occur from untrusted to trusted zone.

20. DOM Nodes when Dragged and Dropped move the properties attributes and behavior

21. A extension that trusts copied DOM content be can be subverted by sending malicious content

22. CreateEvent() DOM function can be used to send malicious content to the extensionDEMO

24. wrappedJSObject can be used to strip the wrapper protection.DEMO

26. When an extension makes use of bindings, elements within the bindings are attached to the invoking page.

27. CSS plays a role in exploiting XBLDEMO

28. What Should a END User Mind Suspicious single file(s) in extension folder. XPI are Archives can be un-Zipped and checked for any packaged Executables Check the install.rdf for common pitfalls mainly <em:hidden> Verify chrome.manifest does not point to other extension folders as it can overwrite functionality.

29. What Should a Developer Do. That’s a whole Presentation By itself Don’t Bypass Wrappers Don’t Trust content From the Un-Trusted Domain. Don’t use eval() Follow this link : https://developer.mozilla.org/en/Security_best_practices_in_extensions

30. Tools Firebug XULWebDeveloper XPComViewer Venkman Console2 Burp

31. Last Words We discussed Some Ways subverting the Mozilla Platform This list is not by any means exhaustive There are some strategies like Sandboxes which can be bypassed New features like themes open new avenues ! HTML 5 would definitely be a point to consider (LavaKumar Speech) Last Mozilla is a secure platform but can easily be exploited …. So some care should be considered.

32. Questions

33. Thank You prasanna@deadpixel.org