 All right, so our next speech presentation is extension LAN exploits and rootkits in your browser extensions by Barack Sternberg He is your father I'm super excited. This is my first talk at Defcon ever so with this in mind whoop so We are going to get started. So extension LAN exploits and rootkits in your browser extensions So first a little bit about me. So I'm a security researcher My name is Brock Sternberg, and I'm a founder also at white pointer. I was previously not always sent in one labs I did this talk about hacking small devices for fun and profit last year and the amazing IOT village and I did my masters on algorithms and I love vulnerability research from IOT to embedded devices Linux web apps and much much more So we've got to conclude I'm also a DJ and party lover So check out also my mix cloud for more mixes and stuff like that and with this in mind Let's start so our motivations for extension is well first We have more than 2 million Extensions in the web stores out there. So we have so many extensions many are malicious. We all know about malicious extensions, right? And why they are so commonly used for malware. So first they have so much permissions You can easily you excess you can easily run JavaScript or inside any region targeted with Chrome extension in mind They can let you control the entire browser and much more more. They are still in a sense and they are cross platform so they can run on any desktop OS like I know Mac windows, whatever and They are really easy to develop like Just malware is much easier to develop than similar, right? And why did I focus on research in extension? Well First of all, I love this idea. It's like just a of Cool things inside of them cool APIs interesting areas to explore and the main key points is that These attack surfaces inside of them have new Interesting well not new but interesting and unique API's and they lie in different contexts and they have these Super browser powers. So let's now Talk about these super browser power powers, but before that I'm going to give a brief talk about my a brief speech about my talk So we are going to start with introduction over Chrome over Chrome extensions We're going to start with the anatomy of Chrome extensions in general Extensions communication after that we're going to exploit two different extensions in cool new context So the first one is the Zotero extension and the second one is the Vimium extension on the first We will jump from one Chrome up to another Chrome extension Elevating our privilege like a PE kind of style the second one is the Vimium We use it to get your excess and finally we will kind of bypass the signatures of the extension check inside the Chrome browser and To do that We will modify kind of a technique that will help us To change previously installed good extension converting known installed extension into bad ones So with this in mind, let's get started So extension anatomy the basics first like extension or develop of two main components If we generally speak about that so content scripts and background Context the content sweep is like the front end So it's temporarily loaded and it's temporarily loaded kind of inside every matching sites So for example, you have a site that is matched For specific extension and the extension declares This is a site that is matched to then the content strip gets loaded JavaScript We get loaded and they are accessible to the sites DOM and many many more things and There is also the background context So the background context is actually kind of the back end of the extensions themselves. They're running specific process specified the dedicated process and Different contests and they are also persistent. They run once persistently in the background and to conclude extension directory is well I focused on Windows, but it's truly applicable to more operating system running Chrome With extensions feature on desktop and the extensions directory lays inside This folder you can see the local app data here They are kind of unpacked all the JavaScript and stuff is in there They have the extension manifest if you know like the manifest inside the I know Android the XML file So it's the same it defines permissions and more things and they have also signature So it's runtime and also while installing this signature gets verified and all the time kind of checked cool So manifest anatomy. So this is the manifest it composed like a free Main fins that Jason file you have the background. So the background consist of the Scripts that used to run in this context. So the first You can see the background Scripts that should be run there if it's persistent or maybe triggered by something else to be run in the background Content scripts are the scripts that well run temporarily as the front end in the matching sites So the interesting thing is you can see the JavaScript here You can see the JS file gets loaded and in which sites they should be loaded so you can see it here and The last point is the web accessible resources and the permissions so permissions As you might think is actually the permissions for the extension themselves It can consist of cookies Storage history tabs and much much more also sites that are accessible also I can give an hint also file origin URLs and stuff like that and Web accessible resources are actually cool kind of resources that the extension exposed to other websites So for example, you can add in your site in an iFrame or open your window. We've Accessing this Chrome extension URL very cool. Okay communication in extension. So let's say we serve to Google and Now the extension all the extension that configured to run in the Google context site gets loaded so you can see here two different parts the parts, which is the web context it consisted of the Dome area, which is like all the elements of the HTML and stuff like that of the Google.com site and also the page scripts that run inside Google that Refer to it and do some changes in there But the main interesting thing is that on the right side You can see that there are the content strip of the extensions that get loaded in the context of Google.com but in its separated origin the extension origin and you can see also that the content strip Can communicate between the background context and why is that because the background context have much more Kind of access to more permissions can do more things it run persistently it can update more stuff So we have communication between content strip and background Contacts we have communication between the content strips and the sites themselves and also I will show more communication ways so Communication between websites and the extensions content strip so considering that we have a couple of ways to do so The first is maybe well cross-origin messages. We can just do you know JavaScript post-messages in between content strips and the site themselves you can do post-messages in between them define message listener and just communicate easily also dome changes sometimes Dome mutations events and even the elements and the classes themselves are inspected Fully by the extensions content script and it's really interesting attack surface to explore So for example if it gets some data from there and try to do a couple of things because of that It might be a really good surface right so this is the dome mutation and last is the thing I talked to you about is that accessible URLs So the accessible URLs are the URLs you can add to your sites that are Internally inside the extension so we can use them and add them for example as an iFrame You can open a new window with them and much much more Cool, so this was content strip versus websites now websites versus Beacon context so first there is like cool things inside the beacon context for example who can Proxy and proxy request between The site that is being now shown to the user and the background context itself So for example the beacon context can hook some Request being fetched. I don't know resources when being when they being fetched and then do some operation considering that Also the background context Have access to all kind of information sometimes depends on the permission of course Tubs cookies storage and much more and inspect them so it can be a very very cool way to gain more things to do in the attack surface Scenario cool and the last bullet is a thing that can be also specified in the manifest These are externally connectable pages and by externally connectable pages I mean well, it's not the accessible URLs It's pages that can actually do message passing to the background context and bypass in the sand in a sense the content strip So you can define in the manifest sites that are accessible to the background context and can send many messages back to eat Cool, so it's exposed with the send message API and the manifest state which sites are accessible to this context and Last the extension versus extensions So many extensions can communicate with other extensions as well and the way they can do it is first all the ways I told you about websites between Extensions are actually kind of exposed to these extensions as well. The second thing is the externally connectable sites So the cool thing. Well, I'm now Skipping over to the last bullet You can actually kind of do cross extensions message in section and The way you can do it is because well if for example one extension define One site as externally connectable. You can inject in your first extension to this site new script that triggers Messaging passing to the other extension and that way you can send message directly to the background context of Of the other extension from the first extension So this is a cool way to Communicate between first extension and the background context of another extension Of course only if defined and the manifest and last the TCP and UDP connections many of them use open TCP connection communicate and connect to other things and stuff. So that's really cool thing and attack surface to explore Cool, let's now start with exploiting Zooter extension. So Zooter extension is actually kind of an academic extension It helped you get identifiers For specific papers and let you easily Manage all your citations in one place actually really easy to do when I did my master It was amazing like use these citations fully embedded and shareable anywhere and It works also with companion Zooter desktop Which is a software and communicate between them, but it's not a mandatory. So extension like it's Sometimes and actually usually works independently on its own and it communicate for TCP port so one of the cool feature inside the Zooter extension was Actually, it's translators. He had it has translators But not like translator from French to English but more of like Extractions to identifiers inside the web. So you have this translator that is a JavaScript that is loaded inside the content script of the current site and try to extract Identifiers that are related to citations. So you can use this translator to extract extract more identifiers and help you Citate more papers and such but the cool thing about this term. So is well, it's an open source thing. There are more than 500 JavaScript translators in Github and they are open source and whenever you update one of them It actually run it can run over in any site when Zooter extension is installed So one attack surface. I'm not going to talk about fully here is the supply chaining of these kind of things And it's really suspect because it's open source and we can change the JavaScript and slaters in there But leaving the supply chain attacks. Let's go to another cool thing inside. So the Zooter and slaters also have this cool system in which they can update their The Newton slater so you can call get translators and you call it like for TCP to the localist and why he does that it does Localist communication because he thinks that the Zooter or desktop version might be installed there So we price to communicate between between himself and the Zooter or desktop version and he reach out to localist at this High port and it looks for new translator. So if there is a new translator, it just downloads it and Run it over. Oh, that's amazing, right? So yeah exploiting it. So we're starting with a Chrome app a Chrome app that listen over TCP socket and We just wait for Zooter to act up When he act up it looks for new translator Download our new translator because we made him to believe that we have newer translator to download and it then just Downloads it up and run it. But wait, we actually have inside there Sandbox execution you can see here that they actually written here Sandbox manager kind of and they try to do eval which is might be not that bad in the sandbox manager kind of thing But it's actually doesn't do nothing. It just removes some JavaScript Variables and just execute your JavaScript in the context. So that way we jump from the Chrome app From the Chrome app in to yeah into that Chrome extension Zooter. So Now keep in mind we are side the content strip of the Zooter. We are lying side the content strip But we are not that persistent, right? We want like to have more permission. We want to run in the background context So I was in this point. I was like, okay, let's see what what is the attack surface inside the content strips So inside the content strips We have now much more attack surface and why is that because now we can send message to the background context We can also access to some shared extensions URL because now we are running in the Chrome extension origin So maybe so kind of interesting thing we can bypass. I don't know and also there is a storage and configuration thing And I started from the end and just try to look for eval Inside the background context and just find out like I don't know Google Docs integration system probably like Run code integration system. I don't know and they just like doing evil in the background context And I try to figure it out like why they do it. So Google Docs Have like a specific integration system inside Zooter. So Zooter tries to integrate it in other manner For its own JavaScript files and it actually can update these JavaScript files Yes, again from some repo, but in this case this JavaScript file gets downloaded from configured URL so we can just listen to some port and do what we did. Yes, like the other day We need like to find new mechanism to exploit it. So you can see here It downloads the it finds out like the new code repo URL in the background context and Download and inject the script here Very cool, but how can we change this configuration? How can we make this configuration well? Exposed to us. So actually we don't need to do so much work The configuration is already available for us and the cool thing is that this is a new kind of attack surface in respect of Chrome you can inject configuration from one context and it will appear in the background context as well So this is exactly what I did they injected new configuration value in the content script to say to him Yeah, I got new repo URL. Yeah, that's cool update my JavaScript from there. Yeah, why not and it just updated it So to conclude this jump from content script to the background context What I did was well inject new configuration for this Google Docs integration URL and Zotero back one gets loaded Restarted whatever and he just fetch my repo my new kind of malicious repo JavaScript and Executed freely in the background context. So this is like the full chain from one Chrome app to the background context of Zotero extension and the amazing thing is that it's also persistent Because the background context in Zotero gets loaded every time this Google Docs integration And it's also gets loaded anytime Chrome starts. So we can just sit freely and easily in the background of Zotero that way Cool. So now I will show you demo video of how it looks like. So the scenario is that the user installed a Chrome app we jump from one Chrome app to another Zotero Chrome extension and we open this TCP localhost we inject the That the JavaScript to the translators and then we inject the configuration we bypass from We bypass the the things to get from the content strip to the background and Then we run the background contents and I will show you how it looks like. So here you can see Yeah, this is map it to my app Really really good app. No permissions like it's only a permission to see TCP. You can see it have no access to any site whatsoever Yeah, and I'll go to the Zotero extension Zotero connector And you can see it can have access to all sites with your old browsing history and stuff and now I show what happens After like we've injected our code inside Zotero extension And now it looks like to naive user. You can also see that nothing is shown here and Now things have already run. So you can see here that my CNC gets like new data From the site whenever this site is gets loaded and run away. There is no evidence in the DevTools Nowhere because I actually open new different context and send all the data from different VM JavaScript context So you can see nothing in the DevTools and that's if you like you can surf and You can just see everything back in the background You can see DevTools is nothing and then I show that it sends my data back to to my CNC server Okay Yeah, and this is my CNC server back cool. Okay, so This was the first exploit Zotero extension Now let's move on to another extension the Vimium extension So the Vimium extension make your browser a Vim like kind of thing So you can edit jump and search for new kind of things inside The browser so for example if I click some button while I'm having this Vimium extension I can just go and navigate easily with my keyboard without mouse and without anything and it's really cool thing because It make my browser Vim like That's really cool So now our goal is to exploit it and our attack scenario is slightly different Because I want to show like interesting new kind of vulnerability that depend of the communication Inside this extension. So the attack scenario is user enter your site execute my JavaScript And my goal is to exploit the Vimium extension Well to bypass up to actually do kind of you excess So let's consider the widgets that this is like the gurus inside of Vimium You have the vomnibar widget you have the helper widget your visual mode. I don't care about them I care only about the first one. This is the JavaScript run code widget and this is the vomnibar widget So let's see what is the vomnibar the vomnibar is actually kind of a bar You can open up when you click all and it open up this bar You can see it on the left you can search and jump to sites and do many many things So that when you click all the Vimium content scripts, you remember on the background Catch the keyboard you pressed and then just add the vomnibar iframe, which is an accessible URL so it adds this iframe and After it does that it just authorized to this iframe. It sends to him. Okay. I have this Vimium secret Which was which was pre? pre From in the background contest was already initialized While Chrome was running the first time and it authorized it and then just send Commands to the vomnibar. It just send commands to trigger search query to do things To search for web Request whatever whatever you want where resources and it's really like cool attack surface. So I was saying like Wait like why not exploiting it and try to communicate and increase our attack surface to communicate freely Into the Vimium vomnibar and that's exactly what I did So the exploit idea was let's insert our own vomnibar iframe because it's an accessible URL inside our page Now let's try to connect to it with the post message and try to send maybe a fake secret or something to bypass Authentication and now we can send commands this vomnibar thing cool so Unfortunately or fortunately the Vimium secret Is generated really really in a state-of-the-art random number generator you can see that math dot random is being used JavaScript math dot random and Man, this one is like kind of easily breakable if you are in the same process like soul shift algorithm It's like really cool thing to exploit But unfortunately it's runs in different contexts and initialize once in the background context of the Vimium So I couldn't easily like break it like using like Known breakers because it's not in my process the seed and of the random itself is in a run another process So I can't easily break it, but like it's only two billion kind of numbers options So yeah, you guessed it right. Let's just brute force it So this is the brute force code for like exploiting the term and finding the secret and if success I get this channel open if not no response and You might ask yourself like wait Barack come on it would take so lots of time, but the thing is that well first Not so much numbers and the second is that we can use web walkers To increase the way we do this brute force and now why we do that. So remember if we run like JavaScript It can sometimes like Stop from running because we waste too many Memory consumption CPU consumption stuff, but with web workers We can just easily trigger over and over this brute force from the back end of the web workers Which supposed to run all the time. So I only need the browser to stay up I don't even need the screen to be open and I don't even even need my tab to be open So just keep the browser open our brute force it and and and that's it Amazing so We've managed now to brute force and break the premium secret we can communicate freely to the vomly bar I frame but what commands this I frame supports, right? It might have a lot of attack surface to explore and it might be very cool to explore this attack surface So first it can trigger a search for new URL completion. It can activate search and jump to new URLs and search for ints to auto completion and stuff Yeah, and Well also run JavaScript code. This is this is what we are about here, right? so how we can do that just search for the JavaScript scheme and Voila, so you can see that it actually triggers JavaScript execution, but In my site. Well, I don't want to run JavaScript in my site what it gives to me, right? So I'm in my page. I'm running this vomly bar I frame I communicate with him and I trigger alert in my site No, I don't bother it But let's now see what happens behind the scenes with this communication. So when we trigger when we trigger this Search for new URLs. What's happened is that the vomly bar I frame tries to find auto completion for this scheme So the content script of the Vimium sends message to the background scripts to find relevant auto completions Now the background script sends message back to the content scripts inside this tab to the sender in sense But then all the content scripts inside this tab Get the message execute this JavaScript inside this frame So you can see the problem here Well, the main problem is that if there are more than one content script of Vimium We can actually trigger another Contest trip to execute our JavaScript form another what we will do is trigger auto completion for JavaScript from one content script and the background context will send Message to another content strip and the the reason it happens is that send message doesn't have like they don't have any Validation to any things inside there. They don't validate their region They don't buy that the sender in sense or it gets sent to any of the common content strips inside this Vimium area so exploit. We just insert our targeted origin as an iframe inside our page We trigger the vomly bar bypass authentication and we then activate the search The search for JavaScript scheme with our own JavaScript code to be run inside of it And then it just trigger JavaScript execution inside Another another page Cool. Let's see it's in a high-level kind of picture. So the Vimium content strip gets trigger the content strip Sends a message from one iframe the top iframe to the background context Now the background script sends message back to the tab which he which appears here and You can see that the iframe which is a sub iframe here gets the message also and also the parent iframe get the message as well So what we do is actually trigger it to make messages to another iframe and we manage to execute that way JavaScript in another target origin Cool. So concluding needs the full exploit to bypass SOAP using Vimium is first you break the Vimium secret You insert a vomly bar iframe inside a few communicated with freely because it may break the secret Now you trigger the auto completion for JavaScript scheme And when the response gets back the targeted origin get it and execute our JavaScript Very cool. Now, let's see a demo of that. Okay, you can see this is Vimium Which actually got updated and fixed Okay, this is the my site and here we can see that code was run inside Facebook.com and you cannot see here and any signs of Facebook.com because it's an id and iframe inside of me and You can see we can cover it But you can see the vomly bar with the JavaScript scheme and the code I wanted to run inside of it so we can actually cover it and make it like seem really really good and Really easy to exploit Cool. So we exploit the Vimium Now let's move on to the last step. What I want to show you now is kind of a new trick to bypass signature and replace and modify extensions previously installed extensions in your browser and Well, the scenario here is a post-exploitation. So we managed to run code on the user's device We already installed a persistent rootkit sorry, we want to install the persistent rootkit and Our goal is to well, of course use extensions to install a persistent rootkit inside the browser and One of the things I'm going to show also that well We can install Persistent JavaScript rootkit which can be accessible also to the file system read access Cookies tabs passwords much much more and it's still because it's running the Chrome context So, yeah, again keep in mind extension of science. So when you once you install them They are continuously get verified. So even if I change them in runtime, Chrome will just say, okay Signature is not is not good and it doesn't run the new JavaScript but extensions in unpacked mode well a Apparently there is like a cool mode for developers in which they can develop their Extensions and this unpacked mode gives them the opportunity to not sign their Extensions and just develop them easily. So If extension gets loaded as an unpacked mode, which is an easy argument to add to your Chrome And a good way to do rating or pen testing I guess you can actually Replace or add new extension that is easily modified and not signed But the even more cooler thing is that you don't need to add new extension to do so So exploiting Let's speak an already installed extension. For example, you have ad blocker Google Docs any other extension and What we will do now is actually Try to reload it in a sense While making Chrome thinks that it is Unpacked mode. So we will load this extension You can see the argument minus minus load extension and it points out to the original extension folder To the original extension deal so we don't even need to add our own files or anything and Why we do that and run up Chrome again? It just doesn't verify the signature for the previously installed extension and This extension I will show it seems exactly the same Chrome thinks that the good extension is installed and seems like it's all good Cool, so let's see now a demo for that This might fall and you can see my ad blocker is the target installed Chrome thinks is installed correctly all good No problems Yeah, the original site in the web store and you can see here that It's also like seemingly almost exactly the same besides a small tiny icon in there But it's only in the extension area and Chrome doesn't give any warning about that when you open Chrome or anything like that It seems exactly the same and you can see here below. I moved on to the background context This is what you see here and you can see that my JavaScript was executed in this terminal console You can see it below there. So I'm injected My JavaScript code inside that ad blocker. It seems Exactly the same you won't even notice like if you investigate it statically and see what extensions are installed you will see this This one and all good. No signature verified And yes, we can also enhance our permissions. We can also this technique change all the manifest file So this leads me to well my final thing here I developed also a tool you can enter and use it. It's a POC kind of thing and It's called my tensions and it's a cool tool to generate your own malicious extensions For the browser you can use them either as a JavaScript You can add over to the background context of some already installed extension with the unpacked mode or you can either use it as New extension you're trying to install And its feature consisted of well, you can inject and run JavaScript in Eden context There are several techniques there in the modules directory And you can have five system access with fire origin your eyes because I can increase my permissions with this post-acletation Method access to sites tab user storage data and much much more contains also simple simple CNC communication So Conclusions well first. Yes Extensions are a kid are and can be exposed much more to PE's PE's for extensions are possible in a sense You can elevate privilege from one extension to another you can gain more privileges if you like develop seemingly harmless extension and moving it from one extension to another the second thing is well unfortunately or fortunately and Depending on which side of the map you are the tech detections will get much harder So detecting this kind of fiends is other because you see chrome fiends the original one is installed as an all-good and Also, so many you remember the 500 translators in JavaScript that run to on over Three million users so they're all exposed and I don't know what is inside all of these 500 translators And so detections will get harder The amount Third there are much more attack surfaces to explore So we have so much more attack surfaces communication and much much more and last Well malicious extensions are here to stay It's about time we investigate and research much more inside of them and try to find out how we can protect and Defend more regarding conceivable them not just from non-malicious installed extension, but more even about their communication and Dynamic and much more things they do inside of them Okay, so we've got in mind. Thank you so much. It was a pleasure. It was my first time speaking at that one I'm so excited I'm here if you have any more questions So my name is Brock Stanma you can look me up in Twitter live in beef and Well, that's it