Detecting FireFox Extentions
In the same vein as the IE specific res:// URLs that can help you detect Internet Explorer, I’ve taken that detection one step further in Firefox. After discovering the issue with IETab where a user can be maliciously forced into the Internet Explorer rendering engine it got me thinking about ways to even detect that that is possible. How do you know your target is running what, and how to do you take advantage of that information. Taking advantage of it is a huge ball of wax and it completely depends on the browser plugin in question. In this case, the IETabs issue was pretty straight forward, but others may not be so straight forward, and will take a lot more time to analyze (by probably many more people than me alone).
But while messing around with WebDeveloper’s DOM “generated source” utility I happend upon one of my plugins’ information being written into the DOM. In tracking down the chrome element, I realized that it too has a similar issue to Internet Explorer where items can be mapped if they are registered. Specifically, images of all things. Now the naming convention isn’t standard, so you can’t just write one that works for everything but I took the time to map out each of the ones I could find so you wouldn’t have to dig.
In Firefox (with JavaScript turned on) click on this URL to show some of the plugins you may have. Sorry for the popup, but it does have some weird interactivity, which I haven’t diagnosed fully.
Knowing what your target has installed is both a way to fingerprint the user as well as a way to bypass whatever security settings they may have (knowing what they have installed can help you figure out ways around it, or use it to your advantage as we saw with IEView). I’ve always thought the plugins would be Firefox’s major security flaw. Looks like we’re getting closer to proving that fact.
August 23rd, 2006 at 11:19 am
This is true, although only the extentions which are loaded by Chrome on startup. If you have an extention which is enabled in the Tools bar but isn’t initiated, it does not show up. That’s why (i’m building some extentions btw) i invoke the function on the users request, and switch it off when they are done with the extention. (eventlisteners)
But if i think about it, isn’t this the same as MSIE? which leaves footprints in the header like: MSoffice, shockwaveflash, and other installed apps.
August 23rd, 2006 at 12:00 pm
Nice found
Some more informations about chrome:// ?
You’re a champion rsnake
August 23rd, 2006 at 12:17 pm
http://lxr.mozilla.org/aviary101branch/source/browser/base/content/browser.js
http://lxr.mozilla.org/aviary101branch/source/browser/base/content/browser.xul
http://www.xulplanet.com/ API docs
http://lxr.mozilla.org/ Mozilla source
http://addons.mozilla.org/ source of other extensions
August 23rd, 2006 at 1:11 pm
RSnake,
very nice find. I like the idea. Actually I have something similar in mind but don’t have working version yet.
I was thinking is it possible to jump from the current web page restricted JavaScript sandbox into the browser context by taking advantage of not properly written plugins.
The attack vector will be as follows:
1. The user visits evil.com
2. evil.com detect vulnerable firefox plugins.
3. upon detection something malicious gets written into the current document
4. plugin reads the malicious content
5. because the plugin takes for granted that the current document is not malicious JavaScript logic jumps into the browser context by performing Cross Site Scripting. Well in this case it will be Cross Context Scripting (CCS).
6. Game Over. Now the attacker has full access to your browser.
August 23rd, 2006 at 1:34 pm
Thank you very much for these links
August 23rd, 2006 at 2:01 pm
Cross Context Scripting…
I was thinking about alternative ways of exploiting the browser without going through the process of finding overflows or other common vulnerabilities. The first most obvious thing I come across is exploiting the user space plugins. There are many reas…
August 23rd, 2006 at 8:12 pm
pdp, that is possible, depending on the plugin interaction with the browser itself. I could easily see that happen but I can’t think of any actual examples of how it would. I’ll have to think about it. What I haven’t been able to do is execute control over the browser in any context with the plugin, save include CSS from it, but I haven’t experimented with this heavily yet.
August 24th, 2006 at 11:05 am
Nice found Rsnake,
well anyway i didn’t get any popup. how could pulgin info. help us in exploting the target. what you rate its impact ??
–hackuin60s!!
August 24th, 2006 at 11:19 am
hackuin60s, well there are a number of ways you could potentially exploit this, but it completely depends on what the plugin does. If you happen to know that one plugin is vulnerable to something you can attack it (like the IETabs issue). If you happen to know that the plugin alerts the user when you do something, you can not do that thing to avoid detection.
By itself the detection is a low risk, but coupled with an actual exploit it could be anywhere from moderate to high risk - including remote compromise if done correctly. I just don’t have time to go through all the hundreds of plugins and test each one.
August 24th, 2006 at 2:10 pm
Nice demo, RSnake! This technique should prove very useful, even in web apps that have nothing to do with web security.
August 25th, 2006 at 2:37 am
Fex - enables Firefox Extension Scanner…
Couple of days ago RSnake presented really nice POC on how to detect Firefox extensions using JavaScript and Image tags. This definitely goes into AttackAPI as soon as I finishing working on my other projects. Meanwhile here it is a simple (well maybe …
August 26th, 2006 at 6:18 pm
“You are not using FasterFox
You are not using Web Developer
You are not using Customize Google”
But I am. Is this a Windows-only issue, because I’m on Ubuntu dapper?
August 26th, 2006 at 8:23 pm
I don’t have ubuntu to test, but I only tested this on Windows, so yes, it might just be a Windows issue.
August 27th, 2006 at 11:32 am
Firefox 1.5.0.5
Slackware 10.2
You are using FasterFox
You are using WebDeveloper
It detected extenstions that I’m using on a Linux platform. It is not Windows only.
August 27th, 2006 at 12:38 pm
Interesting, maybe it’s stored in a different physical location in Ubuntu. If that’s the case, it could lead to another form of OS detection between Linux distros.
September 2nd, 2006 at 8:02 am
[…] 5.5 Browser Plugin Exploitation http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/ […]
September 8th, 2006 at 5:41 am
It also works on Dapper (ubuntu) Linux-i686-dapper-drake
i think it’s because of the firefox version you use, or it might be that you have old versions of the extensions, which do not have an image icon on which Rsnake’s script detect the plugin.
September 8th, 2006 at 7:04 am
The next interesting thing you might like: there is a “tor” plugin available, the plugin gives you the ability to switch “tor” on and off (only if you have a tor client on your machine ofcorse.
In the contrast with your discovery of the chrome flaw, this would be a nice way to detect if someone is using “tor” and redirect them if possible.
It is known that some governmental intitutes use a tor based client to visit sites, if they install this plugin, they could be noticed by the script with a few minor changes.
September 8th, 2006 at 8:17 am
Hm! That is interesting, jungsonn! I’m always interested in ways to de-anonymize traffic. That’s certainly one way to at minimum detect that they are attempting to anonymize themselves and at worst, interact with the client in some manner.
September 9th, 2006 at 8:35 am
https://bugzilla.mozilla.org/show_bug.cgi?id=292789
The bug was submitted in 2005, yet they have not decied what to do.
October 7th, 2006 at 9:07 am
jungsonn/RSnake -
Regarding Tor, you don’t need to use js for that. You can poll the directory servers and compile a list of exit nodes and compare the requester against those and respond accordingly. Then they can’t just disable js or filter your detection script to get at the original content.. and it’s cross browser.
February 8th, 2007 at 3:43 am
[…] For those interested, I used the image-load trick first described by RSnake on ha.ckers.org. […]
June 13th, 2007 at 1:15 pm
Anyone know if this was “fixed” in a more recent version? In firefox v2.0.0.4 the web developer toolbar is not detected using that test page.
Since the WebDev toolbar’s “Edit HTML” feature is a bit of a JavaScript security hole, it would be nice if the toolbar were detectable so a page could prompt the user to disable the toolbar.
September 11th, 2007 at 12:34 pm
ironically, it’s a plugin that provides the first (partial) mitigation against this that I’ve seen so far - with NoScript enabled, this attack would have to come from an already-trusted site (unless the attack can be modified to work without requiring active content, which is certainly a possibility).
September 23rd, 2007 at 2:52 am
I have changed like that “chrome://webdeveloper/skin/classic/webdeveloper/toolbar/close.png” in your html page but it doesn’t work.. I think that chrome can’t be accessed from the page due to the security reason..
October 29th, 2007 at 4:43 pm
add-ons / extensions are privledged code. they can do stuff like read and write to the file system.
Can a web page call functions defined in add-ons or extensions? If so, how?
Can one extension call functions defined in a second extension?
December 19th, 2007 at 3:16 am
I tried to hide my website when it detects AdBlock Plus but adblock plus prevents my sites from calling any chrome:// URL. But for some reason it doesn’t when I visit your demo. Any thoughts?
February 27th, 2008 at 9:40 am
Hi guys,
I am currently trying to call a JS function in the Extenstion from my web application, however I am having trouble with that, because of the permission restrictions in the FF.
I tried to use window.Components (classes and interfaces) in order to do that but didn’t succeed.
I am just wondering: if you are the one who write the extension and the client accepts to install it, then there should be way to “publish” some of the functions as to be global.
Can anyone guide me how I can do that?
Thanks in advance.
April 13th, 2008 at 10:18 am
If someone needs the solution - see http://forums.mozillazine.org/viewtopic.php?t=644901
June 19th, 2008 at 9:24 am
I’m on Windows and it didn’t detect any of the plugins I did have in that list.
January 31st, 2009 at 1:58 am
You should update the list, the URLs of the chrome images are wrong now …
June 10th, 2009 at 4:01 pm
This is not working anymore with the new firefox…
June 27th, 2009 at 1:57 pm
I need a detection for alexa sparky. I will pay for it, contact: steudler@gmx.net
November 6th, 2009 at 6:13 am
I agree with Andy. In my browser it did not work. =/
Could you help me?
April 24th, 2010 at 6:47 pm
This does not work with new versions of Mozilla Firefox is there any new solution ???