A few years back I was working as a tech support. One day I got a call from one of the co-workers who claimed his internet speed is extremely slow as he couldn’t do his job properly. When I got there I saw he had literally 25~30 tabs opened in his Firefox browser and he seemed very confident those opened tabs had nothing to with his ‘speed’ problem.
All joke aside, I also found he was using quite an older version Firefox than other people. When I asked, he said the browser recommends him to update itself too frequently so he ‘told’ the browser not to ask anymore as he’d found the recommendation annoying.
I think this is a pretty common issue in every organization where doesn’t apply strict update policy. So, today let’s find out what could possibly happen if we don’t update our browser periodically.
This posting will show one of many ways how cybercriminals can exploit user’s Windows-based computer using Reverse TCP, Mozilla Firefox bootstrapped add-on and a well-known penetration test software called “Metasploit”. This exploitation creates a *.xpi Firefox add-on file. Upon successful launching, the victim’s Firefox browser will show the add-on and ask the victim whether to download the add-on. Once the victim clicks the dialog to install the add-on, the payloads will be executed and the attacker will have full permission to navigate the victim’s computer.
Figure 1. Loading Firefox bootstrapped addon
Figure 2. Setting a reverse shell payload and generating a URL for the victim.
Reverse_TCP is probably one of the most popular ways connecting to the target computer with a simple manipulation. Since it generates a URL, when the attacker wraps this URL with a web domain address that looks more familiar to the victim, chances for payload execution are higher than Bind shell exploitation which works the exact opposite way to Reverse shell. Bind and Reverse Shell are commonly used to exploit a target system. With Bind Shell, as it’s named, the attacker can bind an application with the certain port so that the attacker can manage to connect to the port. Once the connection is made the attacker gets the access to the victim. Reverse Shell, on the other hand, the attacker’s computer becomes a listener and wait till the victim executes the delivered payload.
Figure 3. Bind Shell and Reverse Shell (image source: InfoSec Institute)
Figure 4. Upon opening Firefox, the *.xpi add-on will be sent to the victim(upper picture: Victim’s Firefox, lower picture: Attacker’s Metasploit )
Figure 5. The victim’s browser pops a question(upper) and the victim accepts installation of the add-on(lower)
Figure 6. After the victim installed a xpi add-on, now the attacker can connect to victim’s system via ‘meterpreter‘; an integrated payload of ‘Metasploit’
Figure 7. The connection is successfully made and the attacker now can browse the victim’s computer(including other user accounts) with read/write access
Once access is granted, the attacker can explore other user accounts of the victim’s computer. In this lab, actual user account who installed the add-on was ‘students’ but accessing other accounts such as ‘administrator’ with read/write privileges was also possible since the account ‘students’ has the admin privilege.
2. How to prevent this exploitation
Preventing your system from this XPI Add-on via Firefox is simpler than you think; ‘Update your Firefox’. From version 41, by default, Firefox blocks unsigned extensions from being installed. However, this will not only prevent possible exploits from attackers it will also block those genuine extensions that were developed for a company’s internal uses. In this case, the administrator can disable this security function manually.
Figure 8. The latest version of Firefox will block xpi add-on installation by default
Figure 9. The administrator can manually control installation of unsigned extensions
3. How to prevent Reverse Shell type of exploitation
Since ‘Reverse Shell’ itself is not a network or system vulnerability, preventing your system from Reverse Shell type of exploitation without interrupting authorized traffics could be a lot trickier than ‘keep your application updated’. However, implementation of the following recommendations would greatly reduce the chance of incidents. If the company tries to protect their information from potential attacks, setting an Application control firewall that scans all application traffic would be the right approach. Nowadays malware doesn’t require executive files to deliver themselves as they hide in PDF or Flash video which traditionally considered as safe from infections. Therefore detecting and blocking Application-borne malware would be another core function must be considered. If the company has security breach related problems promptly then doing periodical user training would be more efficient. Many security reports indicate that malware’s the most favorite method for exploitation is manipulating the users.
Figure 10. Application control firewall
Assigning a need-to-know basis user privilege would also important to keep your organization’s information safe. In order to navigate other user’s account on the victim’s system, the attacker’s originally infected user must have the same or higher privilege than the other accounts. For example, in this lab, originally the targeted account ‘student’ has an administrator privilege. If ‘student’ is a standard user account, accessing to administrator privilege accounts will be denied even if the xpi add-on has been executed.