ush.it - a beautiful place

Install Firefox XPI without whitelist

June 4, 2007 at 4:50 pm - Filed under Insecurity, Language EN - 824 words, reading time ~2 minutes - Permalink - Comments

Today I was reading Firefox XPI Install Prevention Bypass (http://www.0x000000.com/?i=329) and while it's not what it promised to be (there is no Install Prevention Bypass) it contained useful informations that helped me elaborate two distinct thoughts.

The author published the header needed to tell Firefox that the downloaded package is an XPI for both .htaccess and php header() function (AddType application/x-xpinstall .xpi) and then posted the url to the XPI in plain text instead of a link. Readers pointed him that this is the default Firefox behavior and there is no "Bypass" in the strict meaning.

@TheWidget: As far as I am aware, Firefox always allows you to install xpis if you type the URL directly into the Location bar. It only blocks clicked links (and I would guess any javascript attempts). Change your URL text to a HTML link and see what happens.

@ma1: Adding the xpinstall content type is nothing new, every site serving Firefox extensions does it (see http://noscript.net/getit#direct ), and has nothing to do white the xpinstall whitelist: you need to do it even if your site is white listed, unless you use the JavaScript InstallTrigger.

The security warning is shown when user follows a link, a script uses the InstallTrigger or, even worse, an XPI is automatically navigated via IFrame.
Otherwise, if user explicitely types XPI's URL or even drags a link on the location bar, the whitelist is bypassed by design.

Notice that the whitelist is taken so seriously for links, scripts and autonavigation that a special "internal referrer" is checked instead of the XPI's URL or the regular referrer, in order to track back the original initiating page, see http://lxr.mozilla.org/seamonkey/source/docshell/base/nsDocShell.cpp#6906

What I learned from the comments is that Firefox allows XPI to be manually copied/typed in the urlbar or dragged on it with no white list limitation. As said by ma1 the white list check is applied when the XPI is called by the src attribute of a tag, when reached from a link and when the InstallTrigger.install helper is called from JavaScript. I verified the claims building a Mozilla Firefox XPI Install Testbed and my tests confirmed all the above.

The first thought is that while it's not possible to install an XPI automatically this can be accomplished with very low user interaction, the whitelist check is not triggered when: (a) manually tiping the string in the urlbar, (b) copying the string and pasting it in the urlbar, (c) dragging a link to the urlbar, (d) right clicking on an image and selecting the "View image" entry from the contextual menu, (e) dragging an image in the urlbar.

[FUN] I'm sure that with some basic CSS and XHTML almost everybody is able to build a page that explains to the user how to install the media player required to view the promised porn video. User it's simple! Just drag and drop the 140x140, fancy and 64bit color depth, icon to the urlbar. And look there's also the SSL lock, this is a really safe web site![/FUN]

There is a good reference about InstallTrigger on XULplanet (http://www.xulplanet.com/references/elemref/ref_InstallTrigger.html), the suggested code is the following.

xpi["Calculator"] = "calc.xpi";
xpi["PictureViewer"] = "pict.xpi";
InstallTrigger.install(xpi , myCallbackFunction);

All the used techniques are contained in the Mozilla Firefox XPI Install Testbed; naturally if you want to suggest some tests i'll be glad to add them, just mail reedalert@ush.it.

The second thought is about the whitelist itself, the Testbed tries to install an XPI that is located on a different domain but the user is prompted for the inclusion of the "www_ush_it" domain. This means that the url of the calling page is checked against the white list but not the domain where the XPI itself is hosted!

This means that if somebody is able to inject the proper XHTML/JavaScript code in one of the domains enabled by default (addons.mozilla.org, updates.mozilla.org) then he will also be able to bypass the implemented checks (the confirmation window is always displayed, the whole story is about the whitelist, not on a completely silent way to install malware on FF) and install an XPI hosted on an arbitrary server.

This is the how-to I hope you are happy now! :)

Regards,
Frencesco `ascii` Ongaro

THP USH Wisec DigitalBullets