mailing list archives
Re: FFSpy, a firefox malware PoC
From: saphex <saphex () gmail com>
Date: Tue, 26 May 2009 19:48:26 +0100
On Tue, May 26, 2009 at 4:08 PM, Shell Code <technobuster () gmail com> wrote:
I would appreciate if you post replies to the list instead of sending
it only to me. My comments inline.
On Tue, May 26, 2009 at 5:10 PM, saphex <saphex () gmail com> wrote:
I fail to understand what is new or interesting in this POC. If a
person with malicious intent gains so much access to a system that he
can put his files or firefox plugins, modify existing files, etc
If you gain access to a system with the user that isn't administrator
(at least under systems that enforce user *differentiation*, read any
Linux flavour and Vista), you only have access to the users folder,
you can't install anything (especially under Linux). I guess this is
meant to be an alternative way of getting the job done.
This is not true. You can carry out attacks of the same severity by
gaining access to a Linux or Windows system as a user that isn't the
administrator. Here are a few examples:
1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so
that it sends user's personal content (data, files, commands executed,
etc.) from the system to a remote server.
2. Put a malicious executable file or script in the user's home
directory and execute it from start up scripts (.bashrc,
.bash_profile, etc.) so that the malicious executable file executes
whenever the user logs in. Now this malicious file can send user's
personal content to a remote server.
3. Modify or put plugins for other software to malicous stuff. Similar
to point 1.
4. Override PATH settings, aliases, put scripts, etc. so that when the
'ls' now executes 'rm' or some other malicious command so that user
ends up executing commands he did not intend to.
5. ... and much more ...
From the POC it seems that somehow the attacker has to gain physical
access to the system or do some social engineering attack to fool the
user in installing or modifying his existing plugins. The PoC does not
explain how this is done.
To you know the download and execute payload for exploits? Make an
application that changes the files, then use that payload in some
exploit. People just want everything done. Just click, download, use,
and call them self l33ts .
How is it any different from the attack scenarios I have explained in
case of vim, emacs, KDE, GNome, Linux shell, etc.?
Maybe this is nothing new, but I think that the way to do it is new.
Because you don't install anything, and the point to be proven here is
that Firefox add-on system is security flawed from the very beginning.
So, are you saying vim, emacs and the plugin system of every other
software on the earth is security flawed from the very beginning?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/