No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
chrome/content
remote
README.md
build.sh
chrome.manifest
install.rdf

README.md

AMO Validator Bypass Proof of Concept

This is a trivial Firefox extension that performs three potentially malicious tasks but would nevertheless be automatically signed by the addons.mozilla.org validator.

The validator cannot be improved to catch these behaviors. As a Mozilla engineer says:

There is simply no way to detect malicious code like this in a dynamic language like JS through static analysis of the source code.

For full context, see Automated Scanning of Firefox Extensions is Security Theater.

Installation

  1. git clone https://github.com/dstillman/amo-validator-bypass.git
  2. Running a dev build? Don't forget to set xpinstall.signatures.required to false! Fortunately that wouldn't be necessary once this was automatically signed…
  3. Create a text file named amo-validator-bypass@example.net in your Firefox profile's extensions directory containing the path to the cloned repo.
  4. Start Firefox.

Running

Data exfiltration

  1. Start netcat listening on a local port:
% nc -l 11111
  1. Load http://test.webdav.org/auth-basic/ or any Basic Auth–protected site and enter any username and password.

Your Base64-encoded username and password should show up in the netcat output. This could be any other sensitive data, and it could just as easily be POSTed to a remote server.

Local process execution

(The default executable is available only on OS X. Feel free to sub in another program for your platform.)

An OS X system dialog should appear, spawned via the osascript command-line tool.

Remote code execution

  1. Start an HTTP server in the remote directory of the local repo:
% cd remote
% python -m SimpleHTTPServer 11112
  1. Load https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/

An alert will appear showing the path to the Firefox profile directory. This alert is generated by unvalidated remote code that runs with full privileges.

Validating

Via amo-validator:

% ./build.sh
% amo-validator --selfhosted -v ../bypass.xpi

Summary:
------------------------------
Detected type: Extension/Multi-Extension
------------------------------
All tests succeeded!

Notice:	Add-on appears not to be localized
The add-on doesn't have any locale entries in its chrome.manifest file, which suggests that it may not be localized.
	Tier:	4
	File:	chrome.manifest

Via addons-validator

% ./build.sh
% addons-validator ../bypass.xpi

Validation Summary:

errors          0
notices         0
warnings        0

Via the online validator:

Your submission passed validation and will be automatically signed.