Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Is FFSpy a hoax?
From: Valdis.Kletnieks () vt edu
Date: Mon, 01 Jun 2009 11:37:22 -0400

On Sat, 30 May 2009 12:31:03 +0530, FFSpy Buster said:

He suggests that Firefox must do something to notify the user when an addon
has been compromised by a remote attacker. He agrees that the remote
attacker has to gain physical or local access of the system by remotely
logging in or something.

I wouldn't rank it as a major panic, but it *is* pointing out an interesting
and little-considered place for an attacker who has gotten access to leave a
back door for themselves. Most security books will tell you to check places
like 'crontab', and I've seen backdoors and other attacks hidden in .vimrc and
.gdbinit files, but don't mention browser plugins and add-ons.  This is a bit
more nefarious because the API and packaging of Firefox add-ons isn't well
understood by most people, so it's hard to tell where exactly to look, and for
what.

                           Let us say the attacker ssh-ed or telnet-ed into
the user's PC and modified an addon. What measures can Firefox take to
notify the user of the modification?

I can't imagine of any because if it is digital signature or checksum based,
the attacker can very well modify the public key or the checksum in
Firefox's store. So, this whole FFSpy thing sounds like a hoax to me, an
unnecessary panic being created by Duarte Silva. Please correct me, if I am
wrong.

The trick is to take the signature/checksum and store it someplace that
isn't writable by the user.  For instance, the venerable Tripwire or the
more recent Aide will be able to detect this sort of attack - and if you're
really paranoid and store the Tripwire keys and database offline (cd-rom or
USB key, etc), it will even be able to work if the system gets compromised
(booting off known clean media needed for this one, of course).



Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]