1 Attack on Browser Plugins Table of Contents Introduction .................................................................................................................................................. 3 What are Browser Plugins? ........................................................................................................................... 4 Understanding Plugin Anatomy ................................................................................................................ 5 What you can do with a plugin ................................................................................................................. 6 Commonly used plugins ............................................................................................................................ 6 What a plugins cannot do ............................................................................................................................. 7 Some plugins that are frequently exploited ............................................................................................. 7 What are browser extensions? ................................................................................................................. 9 The Difference Between Plugins and Extensions ...................................................................................... 9 How to Call Plugins ..................................................................................................................................... 10 What is Click to Play Plugin ......................................................................................................................... 10 In Mozilla Firefox (version 38.0.5) .......................................................................................................... 10 In Google Chrome ................................................................................................................................... 11 In Internet Explorer ................................................................................................................................. 12 In Safari browser ..................................................................................................................................... 14 How Plugins are blocked ......................................................................................................................... 17 Plugins Enumeration ................................................................................................................................... 17 Detecting Plugins .................................................................................................................................... 17 In Mozilla and Chrome ........................................................................................................................ 17 In Internet Explorer ............................................................................................................................. 20 Automatic Plugin Detection .................................................................................................................... 21 Detecting Plugins Using BeEF Tool .............................................................................................................. 23 What is BeEF?...................................................................................................................................... 23 Plugin Detection .................................................................................................................................. 23 Attacking Plugins ......................................................................................................................................... 25 Bypassing Click to Play Feature ............................................................................................................... 25 In Firefox ................................................................................................................................................. 25 Java Example ........................................................................................................................................... 29 2 Attacking Java ......................................................................................................................................... 32 Understanding Java Applets ................................................................................................................... 32 Detecting Java ......................................................................................................................................... 32 Bypassing the Sandbox ........................................................................................................................... 32 Exploiting Java using Metasploit ............................................................................................................. 33 Attack on Flash ........................................................................................................................................ 39 Shared Objects ........................................................................................................................................ 39 Action Script ............................................................................................................................................ 40 Flash with Webcam and Microphone ..................................................................................................... 40 Fuzzing Flash ........................................................................................................................................... 41 ActiveX Controls ...................................................................................................................................... 42 Exploiting ActiveX Controls ..................................................................................................................... 42 Attacking PDF Readers ............................................................................................................................ 43 Understand JavaScript in PDFs ................................................................................................................ 44 Universal XSS in PDF ;) ............................................................................................................................ 44 Launching another Browser .................................................................................................................... 44 Attacking on Media Plugins .................................................................................................................... 45 Exploiting Media Players Plugin with Metasploit ................................................................................... 46 Some Useful links .................................................................................................................................... 48 Reference ................................................................................................................................................ 48 Introduction By reading this mini course you will able to understand what browser plugins are and how they work, what is the difference between a plugin and an extension, you will able to fingerprint what plugins are installed in a browser. We will also have a look on BeEF (Browser Exploitation Framework Project) to determine what plugins are loaded/installed, and identify those that might be vulnerable. We will look at how the Click to Play security feature implemented in Java, Firefox, and Chrome are vulnerable. In addition, how the Click to Play security feature bypasses on Java and Firefox. We will explore Java exploitation, Flash exploitation, Universal XSS in acrobat PDF, Media plugin exploitation using Metasploit, etc. We have taken popular plugins during an endpoint security assessment in this mini course. 3 What are Browser Plugins? In computing, a plug-in (or add-in / addin, plugin, extension or add-on / addon) is a software component that adds a specific feature to an existing software application. When an application supports plug-ins, it enables customization. The common examples are the plug-ins used in web browsers to add new features such as search- engines, virus scanners, or the ability to utilize a new file type such as a new video format. Well-known browser plug-ins includes the Adobe Flash Player, the QuickTime Player, and the Java plug-in, which can launch a user-activated Java applet on a web page to its execution on a local Java virtual machine. Screenshot Fig 1: Mozilla Firefox displaying a list of installed plug-ins As shown in the figure two below, the host application provides services which the plug-in can use, including a way for plug-ins to register themselves with the host application and a protocol for the exchange of data with plug-ins. Plug-ins depend on the services provided by the host application and do not usually work by themselves. Conversely, the host application operates independently of the plug-ins, making it possible for end-users to add and update plug-ins dynamically without needing to make changes to the host application 4 Screenshot Fig 2: Host application working with plug-ins Now you can understand what plugins are. Let’s talk about web browsers such as IE, Mozilla Firefox, Opera, and Chrome etc. A browser’s primary role is rendering web