Wednesday, May 20, 2009

FireFox Plug-In Design Flaw Yields ffspy PoC

It's happened, my faith in FireFox and plug-ins has been totally shattered, for real this time.  I knew the day would come soon... but I'm still sad.

I read this brilliantly simple blog post where Duarte Silva, on his myf00 blog, basically trojaned a legitimate Mozilla "extension" (add-on) to make it do evil, evil things.  He calls his creation "ffspy", how fitting given that it steals your HTTP POSTs.  The scary thing about this - that legitimate extension was NoScript.  Even more impressive is Duarte's mastery of JavaScript-foo...

It's not a bug or vulnerability in NoScript, by any means, but rather a design flaw in the way plug-ins work in general...
"You can infect one of the installed add-ons, because Firefox isn’t able to verify if an add-on is compromised or not. To do that you only need to edit the file that defines the overlay." --D. Silva
And he's totally correct - there really isn't a nice design mechanism to do this, at the present time.  A suggestion I would have is this... when a plug-in is installed, make sure you validate that the .XUL file has a valid MD5sum (or whatever you want to hash it with).  Once it's installed that hash needs to be stored inside FireFox's internal guts so someone can't just modify it... maybe in a binary format or something?

Anyway... his article is well worth the read - and just continues to draw a bleak picture of security in the browsers... as I've been saying all along.



Anonymous said...

Wait, you mean we have to _trust_ any software we install?

This is news, how?

Rafal Los said...

Hey, if you're going to leave a snide comment at least have don't hide behind anonymous.

Now, this IS NEWS because people just don't know this - while you may, most don't. This IS NEWS because the author of that PoC has now found a very, very simple way to completely bypass everything (including SSL, oh noz!) on the browser... without "hacking" or anything else even remotely suspicious.

Yes - this indeed is news. Thanks for reading and taking the time to comment.


Anonymous said...

I think what we're talking about is the total breakdown of current software distribution models that windows has encouraged.

Linux style package management is really the only solution I can see. A set of "trusted" packages which are (nominally) safe to install from a trusted resource.

This mentally of downloaded software binaries from anywhere and just installing them is just simply crazy. Users need to be taught never to do this, and to consider anything they find on the internet as untrusted.

Bilbo Fraggins said...

I agree, this isn't really novel.
It's an interesting POC, but if I have local access to your file system, there's tons easy ways to own you...

We just don't have systems that were designed to stand up to local access, case closed. An attacker could just as easily modify one of firefoxs own executables or libraries, your proxy settings, etc...

Anonymous said...

Raf is right.

In addition, since mozilla does not certify extensions as safe, how is one to know which addon to trust?

If I had to guess wildly at user behavior, I'd say
99% of users never read the code before installing an addon,
90% of the users who do read the code before installing an addon don't understand it well enough to certify it themselves.

Rafal Los said...

@Steve Pinkham:

You know - you're right. The whole idea of "trusting a plugin" is insane - but where do you draw the line? Is there something that Mozilla should do to limit the damage that can be done using this type of attack?

I spoke to a "friend" who distributes questionable software and he indicated to me that while this is fascinating, it does little to increase the attack surface of a browser (or all browsers) which are riddled with holes that allow drive-by "{ad|mal|spam}ware installs".

The question is now how to does Mozilla start to solve this problem - or do they? This is getting too long, time for a follow-up post.