Cenzic 232 Patent
Paid Advertising
web application security lab

Remote Firefox Vulnerabilities

Brian Krebs at the Washington Post had a story about a post by Chris Soghoian who found that you can use a MITM attack to overwrite addons in Firefox. Actually, believe it or not, I was planning on releasing the exact same issue, but alas, that’s what I get for waiting. More than one person heard me say this, and I even sent Jeremiah a power point deck on this exact thing last night, and even mentioned it in passing during my OWASP talk yesterday, so I’m not just blowing smoke, but alas, Chris disclosed it first so he wins, and good for him. Chris did a good job of explaining it in gory detail too. While most addons are put on addons.mozilla.org there are quite a few that are pulled straight from http connections. There’s a great idea - let’s run arbitrary code from untrusted resources!

The offenders range from big companies like Google, Yahoo, and Facebook, to security software like Netcraft’s toolbar and the Phishtank’s toolbar down to little addons like Bugmenot, and Localrodeo. If you use Firefox, it’s time to either uninstall those addons if you are at all concerned about man in the middle attacks over wireless connections. If you use a laptop and have those addons installed you are taking a big risk of complete compromise. Yes, this is nasty. Daniel Veditz said they would have expected people would have known better. This is sort of one of those things that if you don’t warn people at a minimum they won’t know to think twice. Mozilla may “block” all unsecured content. While I don’t think that’s a great idea, at least they could warn people about what they are doing. Good work by Chris - I just wish I had disclosed it first!

14 Responses to “Remote Firefox Vulnerabilities”

  1. Kishor Says:

    Doesn’t it mean that we should always use https? Why only firefox extensions are vulnerable (other reason than the extensions are updated in background)? If I’m trying to download an exe over http, am I not under a threat?

    Please clarify.

  2. Ronald van den Heetkamp Says:

    Yeah I was playing with the same idea for a few months now, and eventually not wrote about it, because it’s actually the same as MITM in normal traffic. It’s too abstract and only theoretical, hardly practical. I rather see some research on on how the Mozilla devs are making sure there are no back doors coded into extensions.

    Another idea is to clone the Mozilla update popup, throw it at users and let them install a malicious update. This is practical, and would fool plenty of people, it’s also far more easy then to sniff traffic.

    Or like Zeno showed a while back, by creating an browser overlay. Was a pretty cool hack, it’s somewhere in the forums if anyone want’s to look at it.

  3. a flying horse Says:

    Plugins and extensions in Firefox are two entirely different things. Please use the correct word.

  4. RSnake Says:

    kishor - that is also true, no you didn’t miss anything. The only difference is it is far more likely that they will download the plugins (happens about once a day) than a random .exe file - assuming they are using Firefox and not IE. But both are possible.

    Ronald - it’s not that theoretical. I actually sat in a hacker con and watched the Errata Security guys sniff everyone’s traffic as part of a demo. Guys like them are all over the world and they travel a lot. While it’s not common, it does definitely happen.

    a flying horse - while you completely missed the point of the article, I did change it, but not to extensions but to addons as that is what Firefox calls it in the browser.

  5. zeno Says:

    Sorry but is this new/news? This would fall under the ‘duh don’t trust DNS’ bucket and the ’sign your crap’ catagory as well (Yes I am aware if it was signed the DNS thing wouldn’t be an issue).

    It’s like your DNS getting jacked and you going to bankofamerica.com and getting phished because now it points to a different site, except for that situation you can’t blame the user because deploying certs to everyone isn’t feasible.

    This stuff is pretty crypto 101……

  6. Ferruh Mavituna Says:

    i think everyone was planning to release this issue. I released my hash about 2 weeks ago :)

    Here is the details : http://seclists.org/fulldisclosure/2007/May/0535.html and PoC for an xpi (backdoored google toolbar) and sample update response XML.

  7. RSnake Says:

    Zeno - yes it is news. Yes it is a major “duh” issue, but look at the list of offenders. Just because you/we all get it, doesn’t mean it’s not a real world issue that isn’t fixed.

    Ferruh - it’s a small world! Maybe I should stop holding onto my 0days.

  8. zeno Says:

    What I SHOULD have said is rather than stating specific plug-ins are vulnerable, state that the Firefox process itself is lacking these checkpoints and requirements. Sure Firefox wants innovation and for things not to slow down, however asking for ssl/certs/signing I don’t see as that big of a deal.

    I don’t see this as to unrealistic.

    - zeno
    http://www.cgisecurity.com/

  9. Ronald van den Heetkamp Says:

    @RSnake,

    Oh no I didn’t mean the sniffing alone :) I did that myself as experiment back in 2005. I only think it’s not very plausible that a businessman is

    1. on his wireless laptop
    2. installs an Firefox update
    3. YA sudden you are there, sniffing data, he knows that the businessman is upgrading FF. *cough* I mean what chance is that?
    4. replaces/injecting packages.

    That is way too much effort for it to succeed in my eyes, and thereby I cannot label it as “practical” rather theoretical, as most security issues are.

    Because it would be the same effort to hijack a wifi connection of my neighbours, Think that is even easier. Or just sniffing traffic over the plain wire -where 95% get’s send unencrypted-

    That’s what I meant, sorry maybe I was a little vague. ;)

  10. RSnake Says:

    @Ronald - it’s incredibly easy to see that someone is upgrading Firefox. You just wait for them to pull a .rdf file. It’s super super easy if you know what you are looking for. Having a ready made script to take it over is also super easy.

    Sniffing traffic is only useful if the traffic is unencrypted. If they use SSL they are off the map. But if you own them with a .xpi file of your own it doesn’t matter if they use SSL or not, you can see and do anything you like to them. It’s far more interesting than sniffing alone.

  11. Ronald van den Heetkamp Says:

    Yep it is, it’s also easy to see if someone if browsing on his bank website -before he logs in- There can be many scenarios. But when it comes down to actually doing this stuff, and only replacing a firefox extension, that seems trivial to me. I think people have better things to do. There are tons of MSIE exploits which could give hackers instant access, even on MSIE 7.0 like the one that has been discovered lately. You see, I only trying to real here. Sure, it is possible, but is it plausible that this ever will happen? I guess not.

    I think it’s too easy to assume this will be used in the real world rather then a nice intellectual exercise, because that person is wireless anyway. That is insecure by default. Even with 128K encryption, it can be cracked under two minutes with very simple tools. So I can agree with Dan from Mozilla about that users should know that being wireless is a risk, and it has nothing to do with the browser itself. Any installation can be captured, and I rather would send a popup from their bank to download the new software then to install extensions.

    Sorry, but that’s how I see it.

  12. a flying horse Says:

    Nope, they are grouped under add-ons (since Fx 1.5, I think), but still called themes and extensions. Things like, say, Java, QuickTime, Acrobat and Flash are plugins, but refering to extensions as plugins too is just confusing. I didn’t mean to offend you, though. Sorry if I did.

  13. Chris Soghoian Says:

    @Ronald,

    You state that the chances are quite slim that someone will be on his wireless laptop and who will then installs an Firefox update - all while an attacker is watching.

    The whole point of this attack is that several big name vendors, such as Google, have hardcoded their extensions to automatically check for updates every single time Firefox starts up, and then to silently download them without prompting the user.

    Thus, the actual attack scenario is as follows:

    1. Businessman is on wireless laptop at coffee shop.
    2. Businessman boots up machine, starts up Firefox (with Google Toolbar) - which then automatically connects to http://tools.google.com to check and see if an update is available.
    3. An evil hacker has setup a malicious wireless router, or left a device nearby that monitors the network, and performs DNS/arp spoofing to hijack the automatic requests to tools.google.com
    4. Pwned.

    I want to make it perfectly clear that because of several dubious design decisions made by Google and others, the businessman does not need to manually try to download an update. All he needs to do is open Firefox, and Google toolbar will handle the rest.

  14. Ronald van den Heetkamp Says:

    So now it also needs the Google toolbar?

    Good movie plot, and that’s about it. it’s terrible creative to come up with it. This is also the reason I didn’t bother to write about it, I’ve been playing with the same ideas, started back in 2006 when I wrote a couple of ideas for it down. But, since I figured it’s wireless I don’t bother to speak one word about it. I rather clone the hotspot I’m in, instantly grabbing all incoming connections, seems a little more realistic and practical to pull of _with succes_

    I don’t know about any extension that pings home, have plenty installed and none of them does that., if so I would know about it. If there are, -which I’m sure of- I would block then to do so. Only on request.

    And if i’m in the same cafe as that businessman, why all the hassle? just knock him over and grab his laptop. You’ll be making more money then when you are struggling and hoping that the extension phones home, sorry but that isn’t realistic at all,

    it’s really scraping the bottom of the bottle.