Exploiting Firefox Through Plugins: a Demonstration and Defense of Harmful Browser Plugins

1
Exploiting Firefox Through Plug-ins a
Demonstration and Defense of Harmful Browser
Plug-ins

• Boris Kurktchiev, Kimberly Yonce, Paul Sagona
• Browsers and How Secure are They Really

2
Overview

• What is the problem we discovered?
• Why is it relevant?
• What did we do?
• How are we planning on doing it?
• Is it effective?
• Is there a way to fix it?
• Anyone else out there?
• Conclusions

3
What is the problem?

• In 2004, Microsofts Internet Explorer (IE)
  internet browsing software received a high level
  of scrutiny by the security community due to its
  recent(at the time) exploits. A solution that
  presented itself to those in need of stronger
  security was to switch to alternative browsers,
  such as Firefox and Opera, which did not contain
  the same types of vulnerabilities.

4
What is the problem?

• Since 2004, Firefox has gained immense popularity
  with its latest version being downloaded 534
  million times.
• Even giving a user multiple downloads and
  removing ½ or less of them, that leaves us with
  around 300 million Firefox users on the internet.

5
What is the problem?

• With that many users, one should be able to
  assume that Firefox does what IE could not
  Provide us with a safe Internet experience.

6

• WRONG!!!

7
Why is it relevant?

• Firefox allows a user to install a multitude of
  plug-ins which extend the browser and its
  capabilities.
• Everything from pop-up blocking and ad-blocking
  to actual content modification is installable
  using the plug-in system.

8
Why is it relevant?

• Why is this a problem? - because there is no way
  to verify the plug-in.
• Firefox itself has built in features which prompt
  the user and asks them if they are sure the
  plug-in source is a legitimate one, but past this
  safety measure there is nothing.

9
Why is it relevant?

• Symantec documented 237 browser plug-in
  vulnerabilities in the first half of 2007.
  Compared to only 74 plug-in vulnerabilities in
  the second half of 2006, this is a 320 jump.
• Plug-ins became an easy focal point for attacks
  because they are easier to exploit than browsers,
  yet can produce the same benefit.

10
What did we do?

• So what exactly did we discover in this project?
• We are in the process of writing a plug-in which
  once installed will transmit the user's stored
  usernames and passwords to a location of our
  choosing. In this case a MySQL database.

11
How are we planning on doing it?

• The biggest challenge is to get the user to
  install our plug-in. So how shall we do it?
• Very simple setup a legitimate looking site,
  prompt the user and tell them that in order for
  the site to function properly it requires them to
  install a plug-in. Redirect them to a replica
  site of the official Mozilla plug-in site and we
  are home free.

12
How are we planning on doing it?

• The big thing with this plug-in is the fact that
  it is Java Script. Which means that it is not a
  compiled executable but just a simple list of
  commands that tell the browser what to do.
• In order to prevent a relatively knowledgeable
  person from discovering what we are doing, we use
  code obfuscation.

13
How are we planning on doing it?

• var E23F6BC7C5C19E73C831A4DA422D882D'z-8X213d)l"
  w L\'THh4Ayk(!pbYamJNgMRneltGi7_sQBt/fvV
  \oE\OqS_at_.UZIK0cgtFW6PujC5r?,x9D'
• var C5E6209D9273E2797B127382F6ACB136'_T-9ifNk
  ?!X(vGrZQeKjA,54L\' 3xW\OubCswE\ogt8PIDJltm)
  y_at_67ptlU12SaFMHc.z"dhBqRgYV0n/'
• var E8DDE6B029EA96B5CF0D7B5450059F86'TR\OKZpU2
  9aXuxAmhP)Vj6\'_at_8Slt-Hr3fI,d0QsknM"(gt!\oq.c15
  DtFezElJ _Ng/yi7BYLC?wW4vbG'
• var EC49CA9C86211F3CF554D2665CFB2887'WbH2BQ9(LE
  sNKxfgIZXtjn z,?iFGq.\'\oeltU"gtr_at_v4YVhkMSc!
  pwa5udyR6TC_Jml03/P)8D-A17\O'
• var D42AF8F3570970AB870BC8B37B5DD5A1'g"q()S7Wyw
  FRY4as36T efbV.1ltcuKv-gt\'Z5?xjpG2mArNXMl!E/
  \OHni8z,\okQD_PJd9UI0BC_at_thL'
• var FF7BD981DA8F221150F6127948BF56A5'\O_/HeG3?5
  wSa0hkbI!9LJ4Zjg_at_dM"ltQv\'6CYKEcn(qW7ApP,1fxX
  .)8sgtiVFUztT2uBlDRNrmy\o -'
• var FD517D7E0E98A21076B5E734285F7F48'Hh,\'40r7w
  d6FVftqiEKy_SALQCe)2j/pz\o(ltJl8RZUT_at_cu-gtYx
  Ig\OM!mbW.NPvaXkBDs539 G"n?1'
• var E9D29A73A39D16D89202A278E16E7248'e\'-_at_z_D
  YUx5K9Q\o4"uS(wVingFqtr?Tltpa!8mPB0XgtN\O.fI
  JdvcMHGRyEWhsjL, l7/6Z321C)Akb'
• var DF8D951B646FEC7506EC519A361B99D2'x_Hsy3lBh-
  pZKaRA,tngtczJ!b7Dlt21Y"ikerXvCf/g05Em8IGLF
  S?N\'T u94MW.)(UVdj\oqQ\OwP6_at_'
• var E8E9EE056DD3545E823A7F5447CADEB0'K"bk.7sdZ)
  95ltw,r\OiDGvCuAgaHf\'pSJBcT/\ogtzQ0UPy_YXe
  1nR(t?-8lINx6WjMF2!E_at_mqhV3L4'
• var F2F41EFEA85F6437CAD0D7B1FC092440'ehrB!gyG"i
  nuzV-.c7Fmj1sv_89EDqdJta(6kT,lXltK0\oIgt\'S/H\O?
  _at_bYxMA)3W45PfLpC2UZ NRwQ'
• var B6007422424EEA148AEB7E5397018D42'ZyaJEd?hzW7
  f5rS\oG0L)!ilgu"PjD6X/tpeH.cwmBNR_Fn\'gtltM
  2qQ\O8 (kxTU14sbvC-VI9Y3_at_KA,'

14
Is it effective?

• The answer to this question is.... Yes and No.
• Yes, because we are able to steal data from the
  user without him or her knowing it, and then
  using that data to do malicious deeds.
• No, because during our research we realized that
  even though we are able to change the payload of
  the plug-in (say install a binary) it will
  quickly be discovered by modern
  anti-virus/spyware software

15
Is it effective?

• Also, the best and worst thing about this exploit
  is the fact that it relies on nothing but
  JavaScript, which makes it almost undetectable by
  above mentioned packages, but limits the possible
  attacks to ones that use only the browser
  functionality with JavaScript.
• Although, there are multiple plug-ins that
  improve on the default password storage facility,
  they just do that, build on top of it. No addon
  replaces it.
• So in the end we are still able to extract the
  information we want.

16
Is there a way to fix it?

• It is hard to determine if code has a legitimate
  purpose.
• Our plug-in uses a database connection in order
  to dump the user's data, but how can we classify
  good and bad connections?
• For that matter how do we classify any
  communication that a plug-in needs as a
  legitimate one or not.

17
Is there a way to fix it?

• So what is the best way to protect ourselves from
  this form of attack? - DO NOT STORE YOUR
  PASSWORDS
• For a little more realistic approach, Firefox
  could disallow the installation of plug-ins
  unless they come from the main plug-in
  repository.
• Also, once processed a plug-in can be signed and
  given a score. The score will be tied to an
  automatic code review, which will tell the user
  how much information a plug-in will access and/or
  leak in order to work.

18
Anyone else out there?

• Gregory Bard details in his paper how a
  chosen-plaintext attack can be carried out on SSL
  using a plug-in. The plug-in could be written to
  behave transparently, until a certain date is
  reached or a certain user logs in. This would
  allow the plug-in to pass scrutiny from the site
  administrators. It mentions the use of
  class-obfuscators to make the plug-in code
  incomprehensible to outside observers.

19
Anyone else out there?

• Charles Reis et. al. propose a new framework,
  BrowserShield, which performs vulnerability-driven
  filtering of dynamic HTML. BrowserShield
  rewrites HTML pages and any embedded scripts into
  safe equivalents before they are rendered by the
  browser, thus cleansing the dynamic content.
• Phishing - an attempt to criminally and
  fraudulently acquire sensitive information, such
  as usernames, passwords and credit card details,
  by masquerading as a trustworthy entity in an
  electronic communication

20
Conclusions

• Be wary of plug-ins, whether they are ones for
  Firefox or any other browser out there.
• Do not store your passwords in the browser
• If you do install a plug-in make sure you are
  aware of what it is intended to do.
• Install network applications that monitor your
  outbound connections and alert you when something
  is happening.

21
References

• 1 Bard, Gregory V. 2004. Vulnerability of
  SSL to Chosen-Plaintext Attack. Cryptogology
  E-Print Archive. Report 2004/111.
  lthttp//mirror.cr.yp.to/eprint.iacr.org/2004/111.p
  dfgt
• 2 Goth, Greg. 2004. IE Security Flaws Spike
  Interest in Alternative Browsers. IEEE Internet
  Computing. Vol. 8. pp. 8-11. lthttp//doi.ieeecomp
  utersociety.org/10.1109/MIC.2004.63gt.
• 3 Keizer, Gregg. 2007. Hackers Milk Massive
  Increase in Browser Plug-In Bugs. ComputerWorld.
  lthttp//www.symantec.com/business/news/article.jsp
  ?aidin_092007_plugin_bugsgt.
• 4 Kirda, Engin and Christopher Kruegel. 2005.
  Protecting Users Against Phishing Attacks. The
  Computer Journal. Vol. 00. No. 0.
  lthttp//www.cs.ucsb.edu/chris/research/doc/cj06_p
  hish.pdfgt.
• 5 Known Vulnerabilties in Mozilla Products.
  Mozilla.org. lthttp//www.mozilla.org/projects/secu
  rity/known-vulnerabilities.htmlFirefoxgt.
• 6 Munro, Ken. 2007. Crossing the end-user
  application developer divide. Infosecurity.
  Volume 4. Issue 2.
• 7 Reis, Charles et al. 2007. BrowserShield
  Vulnerability-Driven Filtering of Dynamic HTML.
  ACM Transactions on the Web. Vol. 1. No. 3.
  Article 11. lthttp//delivery.acm.org.pallas2.tcl.
  sc.edu/10.1145/1290000/1281481/a11-reis.pdf?key11
  281481key23683285021collGUIDEdlGUIDECFID20
  601843CFTOKEN72967852gt.
• 8 Ross, Blake et al. 2005. Stronger Password
  Authentication Using Browser Extensions.
  Proceeding of the 14th USENIX Security Symposium.
  lthttp//www.usenix.org/event/sec05/tech/full_pape
  rs/ross/ross_html/gt.
• 9 Wang, Helen et al. 2007. Subspace Secure
  Cross-Domain Communication for Web Mashups.
  Session Defending Against Emerging Threat.
  lthttp//portal.acm.org/ft_gateway.cfm?id1242655t
  ypepdfcollGUIDEdlGUIDECFID19722981CFTOKEN
  12066342gt

22

• ALL YOUR BASE ARE BELONG TO US!