Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

I'm in your browser, pwning your stuff. Attacking Google Chrome extensions

Hack in Paris 2013 talk
by

Krzysztof Kotowicz

on 5 August 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of I'm in your browser, pwning your stuff. Attacking Google Chrome extensions

0100101101100
110101101111011
0100101101100
110101101111011
0100101101100
110101101111011
I'm in your browser,
pwning your stuff

Attacking Google Chrome extensions
Krzysztof Kotowicz
Hack in Paris 2013
Chrome extensions
Attacking extensions (v1)
Architecture
Security
vulnerabilities
exploit examples
tools
HTML5 applications
enriching your browser
and web pages you visit
notebooks
online bookmarking
developer tools
page recommendations
ad blocking
mail notifications
Intro
Extensions != plugins
> 50 000 extensions in Chrome Web Store
some used by a few users,
some by millions
what are they?
how are they built?
how secure are they?
HTML
+ JS
+ CSS
...zipped...
Installation
manually
...signed with developer key...
packaged into CRX file
Components
content scripts
view pages
manifest file
(JS)
(JS + HTML)
(lists components,
required permissions etc.)
More permissions than web pages
r/w all cookies,
change proxy settings
block requests
Chrome Web Store
content script
webpage DOM
webpage Javascript
{
"name": "Example name",
"manifest_version": 2,
"description": "Example desc",
"background": {
"scripts": [ "background.js" ]
},
"content_scripts": [
{
"matches": [ "*://*/*" ],
"js": [
"lib/jquery-1.8.1.min.js",
"content.js"
]
}
],
"permissions": ["clipboardWrite", "contentSettings", "cookies", "history", "proxy", "tabs", "<all_urls>"]
}
Manifest file
view pages &
background page
NPAPI
plugin
content script
webpage DOM
webpage Javascript
view pages &
background page
chrome.extension API
proxy settings
cookies
history
opened tabs
clipboard data
....
NPAPI
plugin
"permissions": ["clipboardWrite", "contentSettings", "cookies", "history", "proxy", "tabs", "<all_urls>"]
Permissions listed upon installation
innerHTML
document.cookie
document.title
send messages
& receive responses ONLY
no direct function calls,
DOM access etc.
chrome.tabs.executeScript(..alert(5)..)
Cross domain XHR
Attacking v2 extensions
vulnerabilities
exploit examples
tools
Manifest version 2
content security policy
kill all the vulns?
piece of cake
picking leftovers
other changes
fingerprinting
content script DOM XSS
view page DOM XSS
NPAPI binary code vulns
chrome-extension://<guid>/path-to/file.html
Web pages can load these URLs like standard
cross-domain resources
<script onload=yes() onerror=no() src=...>
scrap GUIDs from Chrome Web Store
DOM shared
with webpages
Proxy settings
Binary code
History
Cookies
Separation of powers
Content script
View + background
Local storage
URL whitelists
Permissions
XHR
"I know if you have extension X installed"
content script
webpage DOM
webpage Javascript
view pages &
background page
?
?
?
<title>..</title>
<... src=... />
<div id="#my-secret-extension-id">
...
</div>
a
= document.title
chrome.extension.sendRequest({
do: "bookmark",
url: document.location,
title: a
},...)
chrome.tabs.executeScript(tabId, {code:
"alert('" +
title
+ " bookmarked')"
});
content script
webpage DOM
webpage Javascript
view pages &
background page
?
?
?
<title>bad bad title
'-alert(1)-'
</title>
a
= document.title
chrome.extension.sendRequest({
do: "bookmark",
url: document.location,
title:a
},...)
$('#boomarklist').append('<li>' +
title
+ '</li>');
Send requests to extension backend
Cross-domain XHR (whitelisted URLs)
Access to API
Run in background
via chrome.extension.getBackgroundPage().eval()
content script
webpage DOM
webpage Javascript
view pages &
background page
NPAPI
plugin
?
?
?
<title>..</title>
<... src=... />
<div id="#my-secret-extension-id">
...
</div>
a = document.title
chrome.extension.sendRequest({
do: "bookmark",
url: document.location,
title:a
},...)
pluginObj.foo(bar,
title
)
?
buffer overflow
format string vulnerabilities
command injection
No Chrome sandbox
OS user permissions
Default CSP for view pages
script-src 'self'; object-src 'self'
no inline scripting
no eval()
By default, webpages cannot load extension URLs
fingerprinting
"You will know them by what they do"

Mt 7,16
no DOM XSS
no fingerprinting
chrome.tabs.executeScript(null, {
code: "(" + funcLaunchZzzapIt.toString() + ")('"
+
tab.url
.replace("'","\\'") + "', '"
+
tab.title
.replace("'","\\'") + "', 'open')"
});
Zzzap.it 1.0.1
ezLinkPreview 5.22
Preview links in a draggable, resizable overlay/popup, or in split screen/split view mode. Zoom images. Search highlighted/selected…
14K users
https://chrome.google.com/webstore/detail/ezlinkpreview/nnkcfbiefgdaceeplickkkmifpicbpcc
Save link to Google Bookmarks
function GetURLDocumentTitleJQ(url) {

var ezPageTitle = url; //default the title to the URL
$.ajax({
url: url,
async: true,
success: function(data) {
try {
var matches = data.match(/
<title>(.*?)<\/title>
/);
var
title
= matches[1];
if (title != null && title.length > 0) {

ezPageTitle = title
;
}
} catch (err) {}

var
scr
= 'ezBookmarkOneClick("' + url + '", "' +
ezPageTitle
+ '");';
chrome.tabs.executeScript(null, {code:
scr
});
},
https://chrome.google.com/webstore/detail/ezlinkpreview/nnkcfbiefgdaceeplickkkmifpicbpcc
Send music and pictures to your phone
Slick RSS: Feed Finder 1.3
document.getElementById("heading").
innerHTML
= "Subscribed to '<strong>" + title + "</strong>'";
https://chrome.google.com/webstore/detail/slick-rss-feed-finder/mpajmofiejfjgeaakelmjklenjaekppa
A companion extension for Slick RSS, auto discovers RSS and Atom feeds to subscribe to.
10K users
<link rel="alternate" type="application/rss+xml" title="hello
<img src=x onerror='alert(1)'>
"

href="/rss.rss">
Cr-gpg 0.7.4
extension to bring gpg into gmail
http://thinkst.com/tools/cr-gpg/
DOM XSS in Gmail.com
when decrypted message is inserted into Gmail DOM
// content_script.js, line 26.
$($(messageElement).children()[0]).html(
tempMessage
);
Send encrypted message => get XSS of victim's gmail session
+
Command injection in NPAPI plugin
when plugin calls gpg binary to encrypt
// gmailGPGAPI.cpp
//Encrypts a message with the list of recipients provided
FB::variant gmailGPGAPI::encryptMessage(const FB::variant&
recipients
,const FB::variant& msg)
{
string tempFileLocation = m_tempPath + "errorMessage.txt";
string tempOutputLocation = m_tempPath + "outputMessage.txt";
string gpgFileLocation = "\""+m_appPath +"gpg.exe\" ";

vector<string>
peopleToSendTo
=
recipients
.convert_cast<vector<string> >();
string cmd = "c:\\windows\\system32\\cmd.exe /c ";
cmd.append(gpgFileLocation);
cmd.append("-e --armor");
cmd.append(" --trust-model=always");
for (unsigned int i = 0; i < peopleToSendTo.size(); i++) {
cmd.append(" -r");
cmd.append(
peopleToSendTo.at(i)
);
}
cmd.append(" --output ");
cmd.append(tempOutputLocation);
cmd.append(" 2>");
cmd.append(tempFileLocation);

sendMessageToCommand(cmd,msg.convert_cast<string>());
=
http://blog.kotowicz.net/2012/09/owning-system-through-chrome-extension.html
BeEF - Fake Flash Update module
https://github.com/beefproject/beef/wiki/Module%3A-Fake-Flash-Update
https://github.com/koto/xsschef
Chrome Extension Exploitation Framework
Easy view XSS exploitation
Inject a simple hook code
Victims connect back to ChEF server
Send commands via web application
Browse tabs
Take screenshots
Read / write cookies
Get history
Set proxy
Persistent password sniffers
Execute atritrary Javascript
Chrome Web Store scraper
get extension code from Google
$ grep | sed | awk to find vulns
mass download
Extension repacker
Clone existing extension
Add hook code
Add maximum permissions
Distribute to clients
Mosquito
Use extension as HTTP proxy
with MalaRIA
http://erlend.oftedal.no/blog/?blogid=107
XSS in content script
Websockets server
MalaRIA
HTTP client
https://github.com/kanaka/websockify
HTTP server
Victim TCP
connection
new XMLHttpRequest()
ws://
TCP
HTTP
GET http://twitter.com/ HTTP/1.1
Host: twitter.com
+ cookies
xhr.responseText
HTTP/1.1 200 OK
<content>
http[s]://*/*
42% use
43% use
http[s]://*/*
eval("hookcode")
Discourage non-Web Store installs
Download CRX file
Open chrome://extensions page
Drag&drop file
harder distribution of malicious extensions
Upload straight to Google Web Store, they don't care
http://blog.beefproject.com/2013/03/subverting-cloud-based-infrastructure.html
@_ikki
and
@antisnatchor
set up Web Store of Doom
upload to website
...
3rd party website
v1 => v2
September 2013
Web Store deletes all v1 extensions
January 2014
Chrome stops loading v1 extensions
currently
47%
are v1
Jun 2013, top 10000 extensions
by Erlend Oftedal
SecuRing
Cure53
I pentest for
&
client side vulns
I research
I blog at
blog.kotowicz.net
and check my
krzysztof@kotowicz.net
, tweet as
@kkotowicz
mailbox
Summary
Extensions are vulnerable as well
Exploiting extensions gives more powers
Tools can help you with that
@kkotowicz
http://blog.kotowicz.net
krzysztof@kotowicz.net
https://github.com/koto/mosquito
attack vector:
malicious website
Full transcript