Sunil - Hacking Firefox - ClubHack2007
-
Upload
clubhack -
Category
Technology
-
view
883 -
download
1
Transcript of Sunil - Hacking Firefox - ClubHack2007
![Page 1: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/1.jpg)
Hack Firefox to steal
web-secretsSunil Arora
![Page 2: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/2.jpg)
How many of you use Firefox ?
![Page 3: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/3.jpg)
Firefox and extensions
Firefox Claimed to be most secure and most efficient
web browser Firefox extensions
A way to extend Firefox to customize or add more functionality to it
Most of the popular websites (Google, Stumbleupon, Facebook etc.) provide their toolbar in form of extension
Popular functionalities like FTP, CHMReader, Flashblock, Adblock etc are available in form extensions
![Page 4: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/4.jpg)
Agenda
Malware overview Malware – How it works A look at existing vulnerabilities How malware can find its way on to
victim’s Firefox Live demo
![Page 5: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/5.jpg)
Lets meet john
Uses internet for social networking. For example Facebook, orkut, myspace etc.Uses Email for professional as well as
personal communication. For ex. Gmail, Yahoo or Corporate webemail
Uses internet for his credit card transactions. For ex. Citibank, ICICI
bank, HSBC etc
Uses internet banking for managing his day to day finance activity
Blogs on internet for professional as well as personal purpose.
![Page 6: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/6.jpg)
John’s online worldProblem Statement
How to retrieve values of elements How to retrieve values of elements like username, password, credit like username, password, credit
card number, IPIN etc for a card number, IPIN etc for a particular web resourceparticular web resource (Gmail (Gmail
/Yahoo/Banking website etc)/Yahoo/Banking website etc)
![Page 7: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/7.jpg)
Malware -Architecture
Target List
Secret List
Secret Collector Engine
Communicator Module
Our Malware is nothing but a malicious Firefox extension
![Page 8: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/8.jpg)
Intercept http requests being made by the browser
Malware - Secret Collector -I
Normal http request process
Parse http requestAnd
Retrieve user typed Web secrets
![Page 9: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/9.jpg)
Malware - Secret Collector - II
Different Components within the Firefox can register to send/receive notifications.
Some standard notifications --quit-application memory-pressureDomwindowopened / domwindowclosedhttp-on-modify-request / http-on-examine-
response
How to intercept http request
??? “Notifications” mechanism in Firefox
![Page 10: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/10.jpg)
Malware -Target List
Set of websites we want to steal secrets for
URL: https://www.google.com/AuthNumber of attributes: 2Attribute Names: Email, Passwd
![Page 11: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/11.jpg)
Malware - Secret List
Set of collected secrets
URL: https://www.google.com/AuthNumber of attributes: 2Name: Email, Value:[email protected]:Passwd Value:helloworld
![Page 12: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/12.jpg)
Communicator Module
Target ListSecret List Internet
![Page 13: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/13.jpg)
How it can find its way to john’s Firefox - I
Installing malicious extension Command line silent install (firefox.exe –
install –silent …XXX) Using Firefox’s extension installation wizard Copy malicious extension’s file in extension
directory of Firefox
![Page 14: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/14.jpg)
Exploit FireFox’s vulnerability (For ex. Extension upgrade vulnerability, quicktime RSTP vulnerability) to push the extension
Installing the malicious extension exploiting vulnerability in some other existing application
Bundle it in some other popular extension and redistribute
Host malicious extension on a webserver and craft a webpage to drive user to install the hosted extension
How it can find its way to john’s FireFox - II
![Page 15: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/15.jpg)
Firefox extension upgrade vulnerability
Firefox upgrade mechanism enabling the extensions to poll an Internet
server for updates If an update is available, the extension will
typically ask the user if they wish to upgrade, and then will download and install the new code.
Extensions fetching update from a http://www.xxx.com (non-SSL webserver) instead of https://www.xxx.com (SSL enabled webserver) are vulnerable to DNS based man in the middle attack.
![Page 16: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/16.jpg)
Facebook Extension
Facebook is a very popular social network site. It provides a FF toolbar as an FF extension.
Any FF with facebook toolbar (v 1.1) is vulnerable to update vulnerability.
Package our malicious extension in existing facebook toolbar (v1.6) and will push it through the update vulnerability
Once malicious extension is installed in FF. The victim’s FF is compromised.
![Page 17: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/17.jpg)
Attack Flow
Facebook extension update ServerAttacker’s update ServerHosting malicious extension
Untrusted public network
John’s FF running Facebook extension Hacker running Master Server
X Y
What is IP of update server
Update server is at Y
Fetches Target Lists
Sends collected Secrets
![Page 18: Sunil - Hacking Firefox - ClubHack2007](https://reader036.fdocuments.in/reader036/viewer/2022081514/5562a9ffd8b42a6e4f8b4f40/html5/thumbnails/18.jpg)
Advisory
Do not use public computer for important information exchange
Up-to-date Software Install Firefox extensions from authentic sources
(https://addons.mozilla.org) only Regularly check list of installed extensions Observe Firefox’s performance. Anomaly in performance
may be due to an unwanted extension Do not ignore extension install warning