Cross Context Scripting

published: August 23rd, 2006

I was thinking about alternative ways of exploiting the browser without going through the process of finding overflows or other common vulnerabilities. The first most obvious thing I come across is exploiting the user space plugins. There are many reasons why attackers might go for this type of targets, one of which is that plugins are not written with security in mind.

Let’s have a look on Firefox extensions security implications. Because extensions make use of standard technologies such as JavaScript, XML, RDF, CSS, it could be possible to transfer malicious code from a remote page into the browser context. Here is a simple scenario:

the user visits evil.com
the malicious site detects the currently installed Firefox plugins
upon detection complete a vulnerable plugin is targeted
based on the plugin type and version, a malicious content is written inside the current document
this content is read by the vulnerable plugin
because the plugin does not perform any data sensitizations, the malicious JavaScript code jumps from the restricted sandbox into the browser context, which is unrestricted.

The result of this kind of attack is quite obvious. Once restricted web script cross into your browser context, higher access permissions are granted. From this point on, the script can install other scripts and modify your file system. Attackers will be able to hijack your browser and backdoor every page you visit using greasemonkey script for example. This means that every page you visit will leak sensitive information about you. It is also worth mentioning that once your browser is compromised the attacker can use it as part of a botnet to attack other machines.

» more | » comments rss | posted by pdp | syndication and integration ( )

comments

Aviv responds:

Why bother detecting the plugin? If there is a vulnerable plugin, an attacker can always try to exploit it. If the victim doesn’t have the plugin installed, the exploit will just fail (or quietly fail, using try..catch clause).

pdp responds:

In a way you are right. Just registering the malicious content should trigger exploitable condition. On the other hand, I believe that extra checking is always good. Exploits are software after all. Software should fail gracefully no matter what it does. Extra checks are required pretty much always, IMHO.

There is a tendency in the computer security community to create hacks (things that work but also fail because of number of reasons). Most worms and exploits I have seen are hacks as well. I wonder what a graceful and beautifully written worm or exploit can achieve.

respond

In order to preserve the high standards of GNUCITIZEN, before you post a comment, please take note of the following guidelines:

Commenting is provided as a courtesy only.
Please be brief and relevant to the post.
Please be polite even in disagreement with us or others.
Support claims you wish to make using sources and links.
No personal attacks, name calling, or commercial commenting.
Anyone creating false or multiple identities will be banned.
If you don't have a cogent argument, you will be censored.
If you are purposefully deceptive, you will be censored.
No spamming or flooding.

We appreciate your time and effort in contributing to GNUCITIZEN.

name: (required)

mail: (required)

website:

comment:

GNUCITIZEN Products

	Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.
	Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.
	Websecurify is a division of GNUCITIZEN. The initiative was established to provide a fee web application security framework for automated and manul penetration testing. The service is still in private-beta.
	Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.
	Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.