Extension-Land: exploits and rootkits in your browser extensions

Presented at DEF CON 29 (2021), Aug. 8, 2021, 1 p.m. (45 minutes).

Browser extensions are installed anywhere, they serve as an integral part of our day-to-day web routine, from AdBlockers to Auto-Translators. But - do we know what is running inside of them? Do we know what goes deep-down inside their communication routines? How do they use their internal API's? And how do their different JS execution contexts work? In this session, I will explore these unique internal extension API's, hidden attack-surfaces and show how these concepts can be broken & exploited using new ways! I start showing how an attacker can "jump" from one low-permissions chrome-app/extension to another, hence elevating its permissions. Then, I will show how to gain full "browser-persistency" inside extensions' background-scripts context. Chaining it all together, I show how attacker, starting from low permissions chrome-app, gains a fully-armed "extension-rootkit", a persistent JS-malware running inside of a "good" extension, along with C&C features, JS injection techniques to any tab/origin, obfuscation-techniques and more. Eventually, I will present a generic technique, targeting all chrome-users, for taking over any previously installed chrome extension and implant an "extension-rootkit" in it. REFERENCES: [1] Chrome Developers: Chrome extensions API Reference, https://developer.chrome.com/docs/extensions/reference/ [2] Chrome Developers: Chrome extensions Manfiest v2/v3 Security References, https://developer.chrome.com/docs/extensions/mv2/getstarted/ & https://developer.chrome.com/docs/extensions/mv3/security/ [3] "Websites Can Exploit Browser Extensions to Steal User Data", 2019 - https://www.securityweek.com/websites-can-exploit-browser-extensions-steal-user-data / https://www-sop.inria.fr/members/Doliere.Some/papers/empoweb.pdf [4] "Web Browser Extension User-Script XSS Vulnerabilities", 2020 - https://ieeexplore.ieee.org/document/9251185 [5] "Detecting DOM-Sourced Cross-Site Scripting in Browser Extensions", 2017 - https://ieeexplore.ieee.org/document/8094406 [6] "Attacking browser extensions", Nicolas Golubovic, 2016 - https://golubovic.net/thesis/master.pdf [7] "A Combined Static and Dynamic Analysis Approach to Detect Malicious Browser Extensions", 2018 - https://www.hindawi.com/journals/scn/2018/7087239/ [8] "Chrome Extensions: Threat Analysis and Countermeasures", 2012 - https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.374.8978&rep=rep1&type=pdf [9] "Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies", Usenix Security 2017 - https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-sanchez-rola.pdf [10] "Protecting Browsers from Extension Vulnerabilities", 2010 - https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/38394.pdf

Presenters:

  • Barak Sternberg - Senior Security Researcher
    Barak Sternberg is an Experienced Security Researcher who specializes in Offensive Security. Founder of "WildPointer", and previously an author at SentinelLabs ("Hacking smart devices for fun and profit", Defcon 2020 IoT Village) and leading innovative cybersecurity research. Barak spent more than six-years at Unit 8200, IDF, as a team leader of 5-10 security researchers. He is highly skilled in offensive cyber-security, from vulnerabilities research in various areas: Linux, IoT, embedded and web-apps to analyzing malware in the wild. Barak is also a CTF's addict, posting write-ups and technical vulnerabilty analysis in its blog (livingbeef.blogspot.com). Barak also acquires BSc, MSC (in CS) focused on algorithms from Tel-Aviv University and a DJ certificate from BPM college. @livingbeef https://livingbeef.blogspot.com/ https://www.linkedin.com/in/barakolo/ https://www.barakolo.me

Links:

Similar Presentations: