Cenzic 232 Patent
Paid Advertising
web application security lab

Detecting FireFox Extentions

In the same vein as the IE specific res:// URLs that can help you detect Internet Explorer, I’ve taken that detection one step further in Firefox. After discovering the issue with IETab where a user can be maliciously forced into the Internet Explorer rendering engine it got me thinking about ways to even detect that that is possible. How do you know your target is running what, and how to do you take advantage of that information. Taking advantage of it is a huge ball of wax and it completely depends on the browser plugin in question. In this case, the IETabs issue was pretty straight forward, but others may not be so straight forward, and will take a lot more time to analyze (by probably many more people than me alone).

But while messing around with WebDeveloper’s DOM “generated source” utility I happend upon one of my plugins’ information being written into the DOM. In tracking down the chrome element, I realized that it too has a similar issue to Internet Explorer where items can be mapped if they are registered. Specifically, images of all things. Now the naming convention isn’t standard, so you can’t just write one that works for everything but I took the time to map out each of the ones I could find so you wouldn’t have to dig.

In Firefox (with JavaScript turned on) click on this URL to show some of the plugins you may have. Sorry for the popup, but it does have some weird interactivity, which I haven’t diagnosed fully.

Knowing what your target has installed is both a way to fingerprint the user as well as a way to bypass whatever security settings they may have (knowing what they have installed can help you figure out ways around it, or use it to your advantage as we saw with IEView). I’ve always thought the plugins would be Firefox’s major security flaw. Looks like we’re getting closer to proving that fact.

35 Responses to “Detecting FireFox Extentions”

  1. jungsonn Says:

    This is true, although only the extentions which are loaded by Chrome on startup. If you have an extention which is enabled in the Tools bar but isn’t initiated, it does not show up. That’s why (i’m building some extentions btw) i invoke the function on the users request, and switch it off when they are done with the extention. (eventlisteners)

    But if i think about it, isn’t this the same as MSIE? which leaves footprints in the header like: MSoffice, shockwaveflash, and other installed apps.

    :)

  2. Girzi Says:

    Nice found ;-)
    Some more informations about chrome:// ?
    You’re a champion rsnake :-)

  3. jungsonn Says:

    http://lxr.mozilla.org/aviary101branch/source/browser/base/content/browser.js
    http://lxr.mozilla.org/aviary101branch/source/browser/base/content/browser.xul

    http://www.xulplanet.com/ API docs
    http://lxr.mozilla.org/ Mozilla source
    http://addons.mozilla.org/ source of other extensions

  4. pdp Says:

    RSnake,
    very nice find. I like the idea. Actually I have something similar in mind but don’t have working version yet.

    I was thinking is it possible to jump from the current web page restricted JavaScript sandbox into the browser context by taking advantage of not properly written plugins.

    The attack vector will be as follows:
    1. The user visits evil.com
    2. evil.com detect vulnerable firefox plugins.
    3. upon detection something malicious gets written into the current document
    4. plugin reads the malicious content
    5. because the plugin takes for granted that the current document is not malicious JavaScript logic jumps into the browser context by performing Cross Site Scripting. Well in this case it will be Cross Context Scripting (CCS).
    6. Game Over. Now the attacker has full access to your browser.

  5. Girzi Says:

    Thank you very much for these links ;-)

  6. GNUCITIZEN Says:

    Cross Context Scripting…

    I was thinking about alternative ways of exploiting the browser without going through the process of finding overflows or other common vulnerabilities. The first most obvious thing I come across is exploiting the user space plugins. There are many reas…

  7. RSnake Says:

    pdp, that is possible, depending on the plugin interaction with the browser itself. I could easily see that happen but I can’t think of any actual examples of how it would. I’ll have to think about it. What I haven’t been able to do is execute control over the browser in any context with the plugin, save include CSS from it, but I haven’t experimented with this heavily yet.

  8. hackuin60s Says:

    Nice found Rsnake,
    well anyway i didn’t get any popup. how could pulgin info. help us in exploting the target. what you rate its impact ??

    –hackuin60s!!

  9. RSnake Says:

    hackuin60s, well there are a number of ways you could potentially exploit this, but it completely depends on what the plugin does. If you happen to know that one plugin is vulnerable to something you can attack it (like the IETabs issue). If you happen to know that the plugin alerts the user when you do something, you can not do that thing to avoid detection.

    By itself the detection is a low risk, but coupled with an actual exploit it could be anywhere from moderate to high risk - including remote compromise if done correctly. I just don’t have time to go through all the hundreds of plugins and test each one. ;)

  10. scottj Says:

    Nice demo, RSnake! This technique should prove very useful, even in web apps that have nothing to do with web security.

  11. GNUCITIZEN Says:

    Fex - enables Firefox Extension Scanner…

    Couple of days ago RSnake presented really nice POC on how to detect Firefox extensions using JavaScript and Image tags. This definitely goes into AttackAPI as soon as I finishing working on my other projects. Meanwhile here it is a simple (well maybe …

  12. pheno Says:

    “You are not using FasterFox
    You are not using Web Developer
    You are not using Customize Google”

    But I am. Is this a Windows-only issue, because I’m on Ubuntu dapper?

  13. RSnake Says:

    I don’t have ubuntu to test, but I only tested this on Windows, so yes, it might just be a Windows issue.

  14. sp00k Says:

    Firefox 1.5.0.5
    Slackware 10.2

    You are using FasterFox
    You are using WebDeveloper

    It detected extenstions that I’m using on a Linux platform. It is not Windows only.

  15. RSnake Says:

    Interesting, maybe it’s stored in a different physical location in Ubuntu. If that’s the case, it could lead to another form of OS detection between Linux distros.

  16. Operation n » Blog Archive » Awakening the Sleeping Giant v1.0 Says:

    […] 5.5 Browser Plugin Exploitation http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/ […]

  17. jungsonn Says:

    It also works on Dapper (ubuntu) Linux-i686-dapper-drake

    i think it’s because of the firefox version you use, or it might be that you have old versions of the extensions, which do not have an image icon on which Rsnake’s script detect the plugin.

  18. jungsonn Says:

    The next interesting thing you might like: there is a “tor” plugin available, the plugin gives you the ability to switch “tor” on and off (only if you have a tor client on your machine ofcorse.

    In the contrast with your discovery of the chrome flaw, this would be a nice way to detect if someone is using “tor” and redirect them if possible.

    It is known that some governmental intitutes use a tor based client to visit sites, if they install this plugin, they could be noticed by the script with a few minor changes.

  19. RSnake Says:

    Hm! That is interesting, jungsonn! I’m always interested in ways to de-anonymize traffic. That’s certainly one way to at minimum detect that they are attempting to anonymize themselves and at worst, interact with the client in some manner.

  20. jungsonn Says:

    https://bugzilla.mozilla.org/show_bug.cgi?id=292789

    The bug was submitted in 2005, yet they have not decied what to do.

  21. NickFaker Says:

    jungsonn/RSnake -

    Regarding Tor, you don’t need to use js for that. You can poll the directory servers and compile a list of exit nodes and compare the requester against those and respond accordingly. Then they can’t just disable js or filter your detection script to get at the original content.. and it’s cross browser.

  22. Kaizou Blog » Blog Archive » Added automatic extension detection code Says:

    […] For those interested, I used the image-load trick first described by RSnake on ha.ckers.org. […]

  23. Ricky Says:

    Anyone know if this was “fixed” in a more recent version? In firefox v2.0.0.4 the web developer toolbar is not detected using that test page.

    Since the WebDev toolbar’s “Edit HTML” feature is a bit of a JavaScript security hole, it would be nice if the toolbar were detectable so a page could prompt the user to disable the toolbar.

  24. darkuncle Says:

    ironically, it’s a plugin that provides the first (partial) mitigation against this that I’ve seen so far - with NoScript enabled, this attack would have to come from an already-trusted site (unless the attack can be modified to work without requiring active content, which is certainly a possibility).

  25. Michael Sync Says:

    I have changed like that “chrome://webdeveloper/skin/classic/webdeveloper/toolbar/close.png” in your html page but it doesn’t work.. I think that chrome can’t be accessed from the page due to the security reason..

  26. bang_zippy Says:

    add-ons / extensions are privledged code. they can do stuff like read and write to the file system.

    Can a web page call functions defined in add-ons or extensions? If so, how?

    Can one extension call functions defined in a second extension?

  27. random Says:

    I tried to hide my website when it detects AdBlock Plus but adblock plus prevents my sites from calling any chrome:// URL. But for some reason it doesn’t when I visit your demo. Any thoughts?

  28. David Gevorkyan Says:

    Hi guys,

    I am currently trying to call a JS function in the Extenstion from my web application, however I am having trouble with that, because of the permission restrictions in the FF.

    I tried to use window.Components (classes and interfaces) in order to do that but didn’t succeed.

    I am just wondering: if you are the one who write the extension and the client accepts to install it, then there should be way to “publish” some of the functions as to be global.

    Can anyone guide me how I can do that?

    Thanks in advance.

  29. David Gevorkyan Says:

    If someone needs the solution - see http://forums.mozillazine.org/viewtopic.php?t=644901

  30. Eddie Says:

    I’m on Windows and it didn’t detect any of the plugins I did have in that list.

  31. Nirahiel Says:

    You should update the list, the URLs of the chrome images are wrong now … ;)

  32. Andy Says:

    This is not working anymore with the new firefox…

  33. George Says:

    I need a detection for alexa sparky. I will pay for it, contact: steudler@gmx.net

  34. Luis Says:

    I agree with Andy. In my browser it did not work. =/
    Could you help me?

  35. traleto Says:

    This does not work with new versions of Mozilla Firefox is there any new solution ???