Tuesday, September 25, 2012

How to install silently malicious extensions for Firefox

Recently, I had the pleasure of presenting on malicious browser extensions at SOURCE Seattle. I showed, amongst other things, how a malicious browser extension can be added silently to any Firefox profile. I've reworked the demonstration, and want to make it available to a wider audience.

3rd-party installation

You have probably already have encountered applications, like the Flash player or some repackaged free software, that wants you to install a toolbar or some spyware/adware for your browser. This is a 3rd-party installation of an extensions. For Firefox, this installation consists of copying the browser extension into your Firefox profile (or a special folder that contains extensions shared by all profiles).

Software installer contains a toolbar/adware/spyware extension

Firefox protects against this type of external extension installation by prompting the user the next time the browser is started - the user has the option to disable (default action) or enable the new extension.

Firefox warning for an extension installed outside of the browser

Silent installation

It is actually very easy to bypass the warning from Firefox. Firefox stores information about all extensions in a Sqlite3 database named extensions.sqlite, located in each Firefox profile. It contains:
  • name, version, description, etc.
  • enabled or disabled
  • active or not
  • installed from official Mozilla extension site or not
extensions.sqlite

When Firefox starts, it checks the list of extensions under /extensions/ against the content of extensions.sqlite. If an extension exists on disk, but is not listed in the database, a warning is shown. The trick to install an extension silentlt, is to add a record into the database about the extension being installed and tell Firefox that the extension has actually already been approved by the user (active and enabled).

Demonstration

I've written a small program that installs an extension silently into any Firefox profile. You can download the program and the extension here, and the source code there.

The program was written in C# and can be compiled with the free Visual Studio Express for .Net from Microsoft.

Tool shows the steps to install the extension silently

The "malicious" extension does not actually do anything. All the malicious code has been commented out, although it includes some of the things an attacker could do, such as:
  • steal the list of logins and passwords saved
  • send out all the URLs visited by the user
  • disable security features
Do not worry about testing the "malicious" finctionality, the extension will not do anything - no information will be sent out.

I suggest that you create a custom profile to test the extension. To create a new profile named "demo", run the following command:

firefox -CreateProfile demo --no-remote

Then start Firefox with your new profile:

firefox -P demo --no-remote

I've included a video that shows the silent installation in case you're fearful of trying it for yourself:


Why it matters

Many free software packages push toolbars, adware and spyware into Firefox and other browsers, installed as part of their installation to earn some money for the extension creator (see previous PPI campaigns). Firefox gives users a chance to explicitly and clearly decide whether or not they want to enable these add-ons. Without this protection, many users can be tricked into running extensions they were are not aware of.

The second important point is that malicious browser extensions are much harder to detect once installed. Because extensions are part of the browser, their activity cannot be differentiated from the activity of the browser. Accessing the internet and accessing the file system are legitimate actions for the browser. The extension does not need to add itself to the startup scripts, or as a Windows service to be running after a computer reboot. The extension does not need to hook into Windows to intercept logins and passwords, etc. Finally, AV vendors struggle with detecting malicious JavaScript and any of the malicious Firefox extensions I've checked with VirusTotal were never flagged.


Going further

The silent installation could be even more sneaky. Instead of adding a new extension, it could also replace an existing extension, or append itself to an existing extension.

18 comments:

RichieB said...

Of course this mechanism is easy to bypass. Mozilla has always known and accepted this. I think the idea is that if addons are spotted in the wild that circumvent the user dialog, they will be blacklisted. Malicious extensions can then resort to use random IDs, etc. It is a war no browser can win. If malicious software has control over a user account the browser profile (and documents, shortcuts, etc, etc) can be infected.

Instead of stating the obvious, why don't you offer some suggestions on how to improve this feature.

RichieB said...

Of course this mechanism is easy to bypass. Mozilla has always known and accepted this. I think the idea is that if addons are spotted in the wild that circumvent the user dialog, they will be blacklisted. Malicious extensions can then resort to use random IDs, etc. It is a war no browser can win. If malicious software has control over a user account the browser profile (and documents, shortcuts, etc, etc) can be infected.

Instead of stating the obvious, why don't you offer some suggestions on how to improve this feature.

Jon Daley said...

yes, i was wondering what your solution is as well.

for me, i just use linux and don't run random executables off of the web, which solves the problem.

after being in the open source world for more than a decade, i am sometimes amazed that software vendors expect users to allow them to run random code on their computer as an administrator. it is really bizarre that people give unknown people full access to their computer. (and yet again lots of people give their email and facebook passwords to random websites who promise to "only look at their friends' contact information, etc)

Wojciech Pawlikowski said...

Hi, It looks like you're reinventing the wheel tbh - malware authors target browsers for a long time (banking trojans mostly). The SQLite method is ok as long as they don't alter the db layout etc. The more generic method is actually to change privilege levels and allow FF to install extension but it's own from specific location by changing prefs.js.

Wojciech Pawlikowski said...

Hi, It looks like you're reinventing the wheel tbh - malware authors target browsers for a long time (banking trojans mostly). The SQLite method is ok as long as they don't alter the db layout etc. The more generic method is actually to change privilege levels and allow FF to install extension but it's own from specific location by changing prefs.js.

Anonymous said...

This is not a security issue in firefox.

You're basically backdooring firefox. But to backdoor firefox you require the ability to run an arbitrary executable on the machine.

What's the point of backdooring firefox if you've already got your executable running on the machine?

By that point you've already won.


This is no different from saying firefox has a security issue because I can reverse engineer it to run a DoS attack on a server and *as long as I can get someone to run my executable on their system that installs this version of firefox*.

Anonymous said...

I saw this in the wild. Spy/adware package.

Dave Sharp said...

Firefox is a cross platform attack vector, Windows, Linux, whatever...;)

So, how do you view the sqlite3 db in firefox to check your extensions?

Dave Sharp said...

firefox is a cross-platform attack tool, Windows, Firefox, whatever...

So, How do you view your sqlite3 db in firefox to check the extensions?

Julien Sobrier said...

@Dave Sharp: you can use SQLite Manager (https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/) to view your databases within Firefox

Vince van es said...

im new to this and i need some help can you or someone tell me if i can install this on someones pc how can i get the logins and pasword off him to my pc ?

Vince van es said...

can someone help me i dont know but can i instal this on a pc of someone and then get its information on my pc ? and how ?

Vince van es said...

im new and someone neem to help me ... can i instal this one someones pc and then get his shit on my pc or do i need to do it on that pc were i installed it on and how do i get the loggin usernames and passwords?

Maria Feldman said...

In new version Firefox 26 it doesn't work, extensions.sqlite file is empty

Maria Feldman said...

In new version Firefox 26 it doesn't work, extensions.sqlite file is empty

R&D said...

In FF 26+ it not working extensions.sqlite is missing (even when I manually added it) and it's prompt the message "another program on your computer would like to modify firefox with the following add-on". Any Idea how to solve it?

Anonymous said...

It looks like newer versions of Firefox no longer use an sqlite DB for the extensions repository. See here:
https://mail.mozilla.org/pipermail/firefox-dev/2013-August/000748.html

Now they use a JSON file. The schema is very similar to the sqlite DB, and it can be edited in much the same way. This was confirmed on Windows 7 64-bit at least. I'm have trouble getting it to work on Windows XP 32-bit

Anonymous said...

You can check this tool, it will help you installing firefox and chrome extensions silently on latest versions : http://youtu.be/2ZnBdb1cAnI