AMO Validator Bypass Proof of Concept
This is a trivial Firefox extension that performs three potentially malicious tasks but would nevertheless be automatically signed by the addons.mozilla.org validator.
The validator cannot be improved to catch these behaviors. As a Mozilla engineer says:
There is simply no way to detect malicious code like this in a dynamic language like JS through static analysis of the source code.
For full context, see Automated Scanning of Firefox Extensions is Security Theater.
git clone https://github.com/dstillman/amo-validator-bypass.git
- Running a dev build? Don't forget to set
xpinstall.signatures.requiredto false! Fortunately that wouldn't be necessary once this was automatically signed…
- Create a text file named
email@example.com your Firefox profile's
extensionsdirectory containing the path to the cloned repo.
- Start Firefox.
- Start netcat listening on a local port:
% nc -l 11111
- Load http://test.webdav.org/auth-basic/ or any Basic Auth–protected site and enter any username and password.
Your Base64-encoded username and password should show up in the netcat output. This could be any other sensitive data, and it could just as easily be POSTed to a remote server.
Local process execution
(The default executable is available only on OS X. Feel free to sub in another program for your platform.)
An OS X system dialog should appear, spawned via the
osascript command-line tool.
Remote code execution
- Start an HTTP server in the
remotedirectory of the local repo:
% cd remote % python -m SimpleHTTPServer 11112
An alert will appear showing the path to the Firefox profile directory. This alert is generated by unvalidated remote code that runs with full privileges.
% ./build.sh % amo-validator --selfhosted -v ../bypass.xpi Summary: ------------------------------ Detected type: Extension/Multi-Extension ------------------------------ All tests succeeded! Notice: Add-on appears not to be localized The add-on doesn't have any locale entries in its chrome.manifest file, which suggests that it may not be localized. Tier: 4 File: chrome.manifest
% ./build.sh % addons-validator ../bypass.xpi Validation Summary: errors 0 notices 0 warnings 0
Via the online validator:
Your submission passed validation and will be automatically signed.