Re: [Full-disclosure] FFSpy, a firefox malware PoC
On Wed, May 20, 2009 at 6:12 AM, saphex sap...@gmail.com wrote: I think this is interesting, http://myf00.net/?p=18 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc. then he can do anything he wants anyway. This is nothing new. It was well known always that Firefox plugins can also be made to do malicious things such as steal passwords, sniff data before it gets encrypted in SSL, etc. Absolutely nothing new. The same holds true for a user downloading malicious software on his own and running it on his system. It is true that most users don't verify the source code before running. But this is not anything specific to Firefox. This holds true for any open source or closed source software users download. So, again FFSpy sniffing data is nothing new. From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. This is like claiming, I have found an interesting attack which involves modifying XYZ program or DLL or script on the system that would sniff data and send it to a remote server. I name it ComputerSPY. This is very lame. Of course if you have access to modify or create stuff in the system, you can do anything. Nothing new at all. What is the point of the POC? What is the PoC trying to achieve? Is the POC trying to tell us something that we already don't know? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
On the iPhone a new app came out called MobileSpy. Designed to secretly record all activity on the iPhone. OMG The iPhone now has spyware etc. No the user must 1. Jailbreak his phone 2. Download and install the Mobilespy application. Recently a person told me that stupidity is a capital crime. We see that evermore here. These days we are worried about drive-by downloads. Spyware in the form of Mozilla Firefox has been an issue for a while. James On Tue, May 26, 2009 at 9:28 AM, Shell Code technobus...@gmail.com wrote: On Wed, May 20, 2009 at 6:12 AM, saphex sap...@gmail.com wrote: I think this is interesting, http://myf00.net/?p=18 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc. then he can do anything he wants anyway. This is nothing new. It was well known always that Firefox plugins can also be made to do malicious things such as steal passwords, sniff data before it gets encrypted in SSL, etc. Absolutely nothing new. The same holds true for a user downloading malicious software on his own and running it on his system. It is true that most users don't verify the source code before running. But this is not anything specific to Firefox. This holds true for any open source or closed source software users download. So, again FFSpy sniffing data is nothing new. From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. This is like claiming, I have found an interesting attack which involves modifying XYZ program or DLL or script on the system that would sniff data and send it to a remote server. I name it ComputerSPY. This is very lame. Of course if you have access to modify or create stuff in the system, you can do anything. Nothing new at all. What is the point of the POC? What is the PoC trying to achieve? Is the POC trying to tell us something that we already don't know? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com http://www.jewelerslounge.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
On Tue, May 26, 2009 at 8:38 PM, Shell Code technobus...@gmail.com wrote: I would appreciate if you post replies to the list instead of sending it only to me. My comments inline. On Tue, May 26, 2009 at 5:10 PM, saphex sap...@gmail.com wrote: I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc If you gain access to a system with the user that isn't administrator (at least under systems that enforce user *differentiation*, read any Linux flavour and Vista), you only have access to the users folder, you can't install anything (especially under Linux). I guess this is meant to be an alternative way of getting the job done. This is not true. You can carry out attacks of the same severity by gaining access to a Linux or Windows system as a user that isn't the administrator. Here are a few examples: 1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so that it sends user's personal content (data, files, commands executed, etc.) from the system to a remote server. 2. Put a malicious executable file or script in the user's home directory and execute it from start up scripts (.bashrc, .bash_profile, etc.) so that the malicious executable file executes whenever the user logs in. Now this malicious file can send user's personal content to a remote server. 3. Modify or put plugins for other software to malicous stuff. Similar to point 1. 4. Override PATH settings, aliases, put scripts, etc. so that when the 'ls' now executes 'rm' or some other malicious command so that user ends up executing commands he did not intend to. 5. ... and much more ... From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. To you know the download and execute payload for exploits? Make an application that changes the files, then use that payload in some exploit. People just want everything done. Just click, download, use, and call them self l33ts . How is it any different from the attack scenarios I have explained in case of vim, emacs, KDE, GNome, Linux shell, etc.? Maybe this is nothing new, but I think that the way to do it is new. Because you don't install anything, and the point to be proven here is that Firefox add-on system is security flawed from the very beginning. So, are you saying vim, emacs and the plugin system of every other software on the earth is security flawed from the very beginning? I believe saphex or the author of the so-called-PoC, Duarte Silva do not understand the concept of privileges and security vulnerabilities. By the way, are saphex and Duarte Silva two different persons or saphex == Duarte Silva? Coming back to the topic of privileges, any Firefox addon runs in the context of the user running the browser. So, the addon can do whatever the user running the browser can. The same holds true for plugins of other software too as Shell Code has correctly explained. For example, an emacs plugin can do whatever the user running the emacs can. So, if saphex or Duarte Silva argues that this is a security flaw in Firefox addon mechanism, they will also argue that this is a security flaw in emacs, Windows, Eclipse and every other OS and software. Such an argument, without any doubt, is lame and stupid as most people trained in computer security would agree. -- Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. - by Albert Einstein. -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
I would appreciate if you post replies to the list instead of sending it only to me. My comments inline. On Tue, May 26, 2009 at 5:10 PM, saphex sap...@gmail.com wrote: I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc If you gain access to a system with the user that isn't administrator (at least under systems that enforce user *differentiation*, read any Linux flavour and Vista), you only have access to the users folder, you can't install anything (especially under Linux). I guess this is meant to be an alternative way of getting the job done. This is not true. You can carry out attacks of the same severity by gaining access to a Linux or Windows system as a user that isn't the administrator. Here are a few examples: 1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so that it sends user's personal content (data, files, commands executed, etc.) from the system to a remote server. 2. Put a malicious executable file or script in the user's home directory and execute it from start up scripts (.bashrc, .bash_profile, etc.) so that the malicious executable file executes whenever the user logs in. Now this malicious file can send user's personal content to a remote server. 3. Modify or put plugins for other software to malicous stuff. Similar to point 1. 4. Override PATH settings, aliases, put scripts, etc. so that when the 'ls' now executes 'rm' or some other malicious command so that user ends up executing commands he did not intend to. 5. ... and much more ... From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. To you know the download and execute payload for exploits? Make an application that changes the files, then use that payload in some exploit. People just want everything done. Just click, download, use, and call them self l33ts . How is it any different from the attack scenarios I have explained in case of vim, emacs, KDE, GNome, Linux shell, etc.? Maybe this is nothing new, but I think that the way to do it is new. Because you don't install anything, and the point to be proven here is that Firefox add-on system is security flawed from the very beginning. So, are you saying vim, emacs and the plugin system of every other software on the earth is security flawed from the very beginning? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
ok On Tue, May 26, 2009 at 4:08 PM, Shell Code technobus...@gmail.com wrote: I would appreciate if you post replies to the list instead of sending it only to me. My comments inline. On Tue, May 26, 2009 at 5:10 PM, saphex sap...@gmail.com wrote: I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc If you gain access to a system with the user that isn't administrator (at least under systems that enforce user *differentiation*, read any Linux flavour and Vista), you only have access to the users folder, you can't install anything (especially under Linux). I guess this is meant to be an alternative way of getting the job done. This is not true. You can carry out attacks of the same severity by gaining access to a Linux or Windows system as a user that isn't the administrator. Here are a few examples: 1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so that it sends user's personal content (data, files, commands executed, etc.) from the system to a remote server. 2. Put a malicious executable file or script in the user's home directory and execute it from start up scripts (.bashrc, .bash_profile, etc.) so that the malicious executable file executes whenever the user logs in. Now this malicious file can send user's personal content to a remote server. 3. Modify or put plugins for other software to malicous stuff. Similar to point 1. 4. Override PATH settings, aliases, put scripts, etc. so that when the 'ls' now executes 'rm' or some other malicious command so that user ends up executing commands he did not intend to. 5. ... and much more ... From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. To you know the download and execute payload for exploits? Make an application that changes the files, then use that payload in some exploit. People just want everything done. Just click, download, use, and call them self l33ts . How is it any different from the attack scenarios I have explained in case of vim, emacs, KDE, GNome, Linux shell, etc.? Maybe this is nothing new, but I think that the way to do it is new. Because you don't install anything, and the point to be proven here is that Firefox add-on system is security flawed from the very beginning. So, are you saying vim, emacs and the plugin system of every other software on the earth is security flawed from the very beginning? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
ok On Tue, May 26, 2009 at 4:30 PM, David Blanc davidblanc1...@gmail.com wrote: On Tue, May 26, 2009 at 8:38 PM, Shell Code technobus...@gmail.com wrote: I would appreciate if you post replies to the list instead of sending it only to me. My comments inline. On Tue, May 26, 2009 at 5:10 PM, saphex sap...@gmail.com wrote: I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc If you gain access to a system with the user that isn't administrator (at least under systems that enforce user *differentiation*, read any Linux flavour and Vista), you only have access to the users folder, you can't install anything (especially under Linux). I guess this is meant to be an alternative way of getting the job done. This is not true. You can carry out attacks of the same severity by gaining access to a Linux or Windows system as a user that isn't the administrator. Here are a few examples: 1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so that it sends user's personal content (data, files, commands executed, etc.) from the system to a remote server. 2. Put a malicious executable file or script in the user's home directory and execute it from start up scripts (.bashrc, .bash_profile, etc.) so that the malicious executable file executes whenever the user logs in. Now this malicious file can send user's personal content to a remote server. 3. Modify or put plugins for other software to malicous stuff. Similar to point 1. 4. Override PATH settings, aliases, put scripts, etc. so that when the 'ls' now executes 'rm' or some other malicious command so that user ends up executing commands he did not intend to. 5. ... and much more ... From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. To you know the download and execute payload for exploits? Make an application that changes the files, then use that payload in some exploit. People just want everything done. Just click, download, use, and call them self l33ts . How is it any different from the attack scenarios I have explained in case of vim, emacs, KDE, GNome, Linux shell, etc.? Maybe this is nothing new, but I think that the way to do it is new. Because you don't install anything, and the point to be proven here is that Firefox add-on system is security flawed from the very beginning. So, are you saying vim, emacs and the plugin system of every other software on the earth is security flawed from the very beginning? I believe saphex or the author of the so-called-PoC, Duarte Silva do not understand the concept of privileges and security vulnerabilities. By the way, are saphex and Duarte Silva two different persons or saphex == Duarte Silva? Coming back to the topic of privileges, any Firefox addon runs in the context of the user running the browser. So, the addon can do whatever the user running the browser can. The same holds true for plugins of other software too as Shell Code has correctly explained. For example, an emacs plugin can do whatever the user running the emacs can. So, if saphex or Duarte Silva argues that this is a security flaw in Firefox addon mechanism, they will also argue that this is a security flaw in emacs, Windows, Eclipse and every other OS and software. Such an argument, without any doubt, is lame and stupid as most people trained in computer security would agree. -- Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. - by Albert Einstein. -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
From: saphex saphex_at_gmail.com Date: Wed, 20 May 2009 01:42:16 +0100 I think this is interesting, http://myf00.net/?p=18 So, how does someone manage to edit the overlay file? Are they going to use some javascript from a malicious website to edit the overlay file of an addon? Or are they supplying a malware addon as a normal addon in the firefox addon download page? Or is the attacker manually editing the addon on another user’s system by gaining access to that system? I don’t see any point in this. It is as good as some person taking some code from somewhere, editing it with some malware code and resuppplying it and saying “hey, I am not a verified author. you can now download and install my malware addon”. Any code out there can have mal addon. I doubt there is anything special in this. If it is open source, it is the user’s job to check the codebase for such malicious code. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
On Mon, May 25, 2009 at 8:26 PM, saphex sap...@gmail.com wrote: This isn't about making the user install a malware add-on. It's about gaining access to the system trough an exploit, or physical access, modify an existing add-on with your code. And Firefox wont even notice. Instead of installing a fancy rootkit or keylogger, just go straight to the browser, simple. Go tell your average user to check the codebase of the plug-ins he has installed in is Firefox from time to time in order to make sure they haven't been tampered with, yeah good choice... I agree that attacking Firefox is a simpler way to carry out the attack than installing rootkit or keylogger. However, this is no simpler than asking someone to download a cool game, script of screensaver from my site. Moreover, only addons.mozilla.org and update.mozilla.org are set as allowed sites for addon installations by default in the browser. If one tries to install addons from other site, Firefox issues a warning. So, this is pretty good. As far as the possibility of malicious addon on Mozilla site is concerened, the probability is pretty low as the addons on the Mozilla site appear for download only after a review process. So, I don't see this type of attack particularly more dangerous than a user downloading a software or script with trojan and running it. I also don't see this type of attack any simpler than fooling a user to run a cool game or script. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
Are we missing DNS stuff ? Are plugins signed ? is NoScript being used by end users ? Maybe an evilgrade plugin is comming []s Fosforo On Mon, May 25, 2009 at 3:24 PM, FUDder Guy fudder...@gmail.com wrote: On Mon, May 25, 2009 at 8:26 PM, saphex sap...@gmail.com wrote: This isn't about making the user install a malware add-on. It's about gaining access to the system trough an exploit, or physical access, modify an existing add-on with your code. And Firefox wont even notice. Instead of installing a fancy rootkit or keylogger, just go straight to the browser, simple. Go tell your average user to check the codebase of the plug-ins he has installed in is Firefox from time to time in order to make sure they haven't been tampered with, yeah good choice... I agree that attacking Firefox is a simpler way to carry out the attack than installing rootkit or keylogger. However, this is no simpler than asking someone to download a cool game, script of screensaver from my site. Moreover, only addons.mozilla.org and update.mozilla.org are set as allowed sites for addon installations by default in the browser. If one tries to install addons from other site, Firefox issues a warning. So, this is pretty good. As far as the possibility of malicious addon on Mozilla site is concerened, the probability is pretty low as the addons on the Mozilla site appear for download only after a review process. So, I don't see this type of attack particularly more dangerous than a user downloading a software or script with trojan and running it. I also don't see this type of attack any simpler than fooling a user to run a cool game or script. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FFSpy, a firefox malware PoC
I think this is interesting, http://myf00.net/?p=18 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/