Browser Exploitation Expanded – NoScript, Sandboxie

So I got a message asking me to expand on my previous post on browser exploitation. The user wanted to know about how security software such as NoScript and Sandboxie would deal with a browser exploit. I’m going to just go through each one on their own and explain what an attacker would be dealing with in each case.

The scenario is that you’re running Firefox with NoScript and Firefox with Sandboxie (separately, for simplicity) and you’ve visited a malicious website where the attacker controls the entire page of content. The attackers goal is to exploit the browser and monetize the system.

NoScript

NoScript works in a few ways. For the purposes of this post I’ll be focusing on the scripting whitelist aspect of it, as things like HSTS/XSS won’t make a difference in our scenario.

As an attacker I’m incredibly limited by NoScript. Most exploits are going to be in the Javascript renderer or through some plugin. With NoScript I have none of that attack surface. Instead I have to resort to exploiting some other component, like a font renderer, or find a flaw in NoScript that will allow a bypass.

This limitation is significant. I can’t even start my attack unless it’s a very specific (and less common) type. So NoScript is incredibly effective here.

If, however, I trick the user into whitelisting the site (or I have hacked an already whitelisted site) my options are much better. Now I can run Javascript, and now my exploit should work just about perfectly, as long as it doesn’t rely on XSS/CSRF.

On a whitelisted site the user is partially protected, specifically against XSS/CSRF attacks, but if I control the entire site and it is whitelisted I have enough power to exploit the browser as if it weren’t there.

Sandboxie

Sandboxie is a program designed to create a copy-on-write sandbox for programs. It emulates system services and attempts to isolate the browser as best it can. As an attacker Sandboxie doesn’t come into play until I’ve actually taken over the browser.

So, I get you to click a website, I break into your browser (see other post on browser exploitation), and now I’m in a somewhat confined environment. Anything on the system is readable by default, giving me a massive amount of valuable information about the system, like what programs are installed, security policies, personal documents, passwords, databases, etc. Post exploitation becomes much easier when read access is granted so gratuitously, making later steps much easier.

Is an attacker I can probably already make serious money off of this user. I have their browser info, potentially passwords or hashes, I can get personal documents, I can keylog, I can read work documents, etc. But what if I want to get persistence? What if I want this to be part of my new botnet? I have to get out of the sandbox.

Now I have to get out of the sandbox if I want enough rights to hook this machine up to my botnet. How do I go about doing this? Well, thanks to the read access I’ve been given I have a ton of info on the system. This makes local exploitation much easier. I can exploit the kernel in the sandbox (reducing kernel attack surface on Windows is ridiculously difficult read: not a logical approach) and break right out, once I’m kernel level I simply unhook Sandboxie and I own the computer, I can do whatever I want.

Depending on the sandbox configuration things can be much much easier or potentially more difficult (I see more weak policies than strong policies in my experience).

Conclusion

And there you have it. Two security programs that a few people have been asking me to discuss for some time. I’m avoiding talking about the programs themselves and their own attack surface, but if you read my posts you’ll be able to extrapolate.

I would say that NoScript adds a very significant layer of security, and should be on every Firefox users browser. Sandboxie is a good choice if you’re willing to set up powerful policies and start denying read access – a default install is OK though.

Why You Should Use NoScript

It’s commonly said that the browser and its plugins are the number one attack point for the average user. So locking down the browser is obviously key to maintaining a secure system. I’ve written a guide for Firefox as well as Chrome, but I want to take a post to really focus on the NoScript extension for Firefox.

NoScript is an open source project that aims to secure the browser. It prevents code from executing in the browser, such as Java, Flash, Javascript, Silverlight, or any other plugin, and it provides a few other features as well. It’s probably the number one best way to secure Firefox.

NoScript has three main modes:

1) Globally deny all scripts

Scripts on any webpage are blocked until whitelisted.

2) Allow Top Level Domain

Scripts from the top level domain (ie: the website your on, no third party content) are allowed to run, all others blocked.

3) Allow all scripts globally

In terms of security, it pretty much goes 1 > 2 > 3.

By blocking all scripts you prevent any attack that needs to make use of Javascript, Java, Flash, or another plugin. That covers the absolute vast majority of attacks we see against users.

NoScript’s default setting, deny all scripts, may be a bit overbearing for some. But even if you can’t handle having the default setting I still suggest installing NoScript and leaving it on 2 or 3, which are more manageable but still provide security features.

Even if you allow all scripts globally NoScript will do the following:

XSS Filter

NoScript includes its own XSS Filter, and it’s pretty great. XSS (Cross Site Scripting) is considered one of the most dangerous threats to security and NoScript provides a very strict filter, stricter than browsers include. Even if you whitelist globally you benefit from the XSS Filter.

HSTS

NoScript can also force HTTPS redirection for websites, preventing MITM attacks on specific sites. NoScript also has Hyper Strict Transport Security support, which means that websites can tell it to always enforce HTTPS and it will. This feature is also present even with all scripts allowed.

ClearClick

NoScript provides Clickjacking protection via ClearClick. Clickjacking is a type of attack that takes advantage of invisible content. You think you’re clicking one thing but you’re actually clicking another. ClearClick reveals hidden attributes on a page any time you interact with it, and blocks that interaction. This defeats Clickjacking independently of Javascript/ iFrame blocking.

ABE

ABE, or Application Boundary Enforcement acts as a broker to determine whether separate web applications should be given specific rights – it provides isolation at the web applications level.

 

So it’s clear that even with NoScript set to Globally Allow you’re much better off than a vanilla Firefox. I highly recommend that if you’re a Firefox user you make use of NoScript at its default setting, but just having it installed for any of the above features is a good idea. It’s a great tool for preventing tracking and ensuring privacy on the web (there’s a reason why TOR uses NoScript!) as well as preventing exploitation.

Banking Online? Firefox With NoScript Is Your Best Bet

If you’re asking the question “How do I securely do my banking online?” you’re one of many. Banking is something we used to do upfront and in person (or so I’m told, before my time) but now that the web has allowed access to our accounts from any location we have to ask how to do something so sensitive in a secure manor. This article will be a short guide to secure online banking.

Normally I say that Chrome is a secure browser for the average user, but it’s a different kind of secure. its sandbox aims to do things more relevant to system infection but not web-based attacks. In terms of web security, preventing CSRF, XSS, and the like – the types of attacks most directly related to online banking – I think Firefox with NoScript takes the cake. NoScript is the only program that’s proven to prevent XSS in the most situations, it’s the only program with ClickJacking prevention that’s worth anything, protection against SVG keylogging, and so many other things, and for banking you want to isolate and restrict the website you’re interacting as much as possible.

There are a few other things you’ll want to do before setting up Firefox if you’re planning on banking online:

1) Make sure you are on a secure network. A secure network is one using WPA2 encryption with a strong 12 character password (or larger) that only you know (assuming wireless).

2) Make sure your system is completely up to date. Keeping intruders out starts with patching. The browser, operating system, and your plugins are key here.

3) If you’re using Linux Ubuntu enable AppArmor for Firefox (sudo aa-enforce /etc/apparmor.d/*firefox*) – other distros may use other LSM.

4) Windows users should follow my quick guide to securing Windows.

After that it’s a matter of installing two key extensions:

1) NoScript. In its default configuration it’s secure. [NoScript.com]

2) HTTPS-Everywhere. [HTTPS-Everywhere]

Only whitelist websites that you know you can trust or (for a higher level of security) keep a separate Firefox profile just for banking with its own whitelist of just banking websites.

Never do your online banking while also using another website in another tab/ window and if you use an antivirus, update it, and run a scan before you use the bank website.

If you follow these instructions you’re making an attackers job much more difficult.

Just Set Up A Computer For Someone Who’s Never Had One

I’ve just finished setting up a computer for someone who’s only ever had a work computer, which isn’t connected to the internet. They share a laptop with someone but rarely use it.

Today I helped them pick out a system, Dell, and I got them started. One really interesting thing I saw was that Dell packaged the Java plugin… an out of date Java plugin. So right off the start my friend was running Java 7.1 (wtf?), which is something like 3 patches behind.

So, naturally, I updated it and installed EMET, which I set Java to use (and changed default Windows 7 settings for DEP Always On). The system also came with Webroot security. I actually think Webroot’s pretty good but I don’t have enough personal use with it to trust it and I’m pretty sure it isn’t free, which means it’ll bug my friend in a few months and he’ll be at risk.

So I removed Webroot and put in Microsoft Security Essentials. Why? For the low false positives and direct Microsoft support.

I also put Google Chrome on the system. I can not explain to someone that they need to use NoScript when they’ve never used a personal computer – they will hate me. Chrome is the only way I can keep him secure without ever getting in his way. The Chrome sandbox is “silent” and that’s really important as this guy is likely very vulnerable to social engineering having never been exposed to it in the past.

I think he’ll be fine. With 5 minutes I’ve set his system up in such a way as to be very difficult to exploit through the most common ways (browser, plugins) and Microsoft Security Essentials is good enough and quiet enough that he should be able to trust it.

The Last Day Of Firefox

Well, as I’d promised I used Firefox and only Firefox for a week. This is the last day of use and I do have to say I’ll be going back to Chrome.

I liked Firefox but there’s nothing that really stands out. The best thing is that I can’t close pinned tabs. That’s really the best part of it right now.

But the startup is slow because of the pinned tabs and Firefox as a whole is definitely slower than Chrome in terms of UI responsiveness and page loads. WordPress is a really good example of this, it’s nearly instant on Chrome but Firefox hiccups.

I like NoScript too but there’s no way I would run with Scripts Globally Blocked — huge pain in the ass. Without that there are still protections but not nearly as many. While the Globally Blocked would provide significant security the Globally Allowed does much less – the part that stands out is ClearClick, which is meant to protect against clickjacking.

While I’ll miss NoScript I don’t think that Globally Allowed protects me enough to make it worth it.

NoScript v Sandbox

Where Firefox has NoScript Chrome has a Sandbox. The two aim to do very different features.

NoScript protects against attacks like XSS, clickjacking, and it’ll block websites from loading up Javascript, Plugins, WebGL, which can be used to exploit the machine.

Chrome’s sandbox is meant to protect against attacks that would use RCE to compromise a system. By locking the browser into a strict environment malicious code is not able to interact dangerously with the system.

The difference is that NoScript really protects the browser session itself and Chrome protects the system. So for something like getting online to bank it might be better to go with Firefox with NoScript and HTTPS-Everywhere but if you’re worried about visiting an exploit page that’ll try a drive-by you’ll likely want Chrome.

Thankfully on Linux you can use AppArmor or SELinux or another LSM to restrict Firefox but the Chrome sandbox goes beyond LSM.

So for my personal use I find Chrome to be the more secure option. For specific tasks like online banking I might consider Firefox.

All in all it’s a matter of multiple factors. Performance, security, and stability. I actually had no crashes or glitches with Firefox or Flash in Firefox, which surprised me. I rarely have issues with Chrome either but I do on occasion. In terms of performance though there’s no question and for me personally Chrome is providing the security I want.

So it’s back to Chrome for me.

I’ll see if I can get my friend from Moz to write something, I’m sure he’s dying to get Chrome off of his system.

The Definitive Guide For Securing Firefox

This is part 1 in a series where I’ll be detailing various settings for specific programs and operating systems. I’ll be writing a guide for Chrome, Firefox, Windows Vista/7/8, and Ubuntu 12.04 (maybe other things I can think of.) The guide will cover everything I can think of and will cover both system compromise, in-program compromise, and privacy concerns. I won’t cover all subjects today, probably just Firefox and Chrome.

Firefox

Firefox is the free and open source browser developed by Mozilla. It focuses on user-oriented features like a customizable UI and ensuring user satisfaction through an interactive developer community.

By default without any plugins Firefox is fairly secure in that it makes use of modern mitigation techniques and is quick to patch. This guide will go over some Firefox extensions that you can install as well as  settings that you can change to improve security and privacy.

Privacy Settings

First up we’ll change our privacy settings to include the Do Not Track header, which I recently posted about. We’ll also be disabling third party cookies as these are typically only ever used for tracking users (though they can have legitimate uses, like logging into websites via third party logins).

Firefox -> Edit -> Preferences -> Privacy

It should look like this after you’ve changed the settings:

Image

Security Settings

From the privacy tab you can click the next tab – Security.

Here we can set our master password. This password will encrypt all others so that if anyone gains unauthorized access to your system they will no be able to gain access to your information.

See this guide for creating a strong password.

Content Settings

Firefox lets you allow or deny Javascript throughout the browser in the content settings page. Disabling Javascript will break many sites but it will improve security – I recommend NoScript instead.

NoScript

NoScript is an extension developed by Giorgio Maone. NoScript is a default-deny system that blocks a webpages ability to run scripts or plugins. It also makes use of a strict XSS filter and clickjacking prevention.

By default NoScript blocks the following:

Image

This renders most attempts at exploiting the browser unsuccessful and will protect even whitelisted pages fairly well.

The problem with NoScript is that there is a ton of user interaction required. You have to whitelist every site you want to visit. It’s a pain. But if you’re after high level of security that’s what I recommend. If you globally disallow (default) you’ll benefit even when you whitelist a website.

Even if you hate the interaction I highly recommend you install NoScript and turn on the “Allow Scripts Globally” feature because it will still provide further improved security.

With NoScript ‘Allow Scripts Globally’ you miss out on the full extent of its protection but even then you’ll benefit from a few really great protections such as:

The XSS Filter – NoScript’s XSS is kinda the XSS Filter to compare all other XSS Filters to.

ClearClick – Clickjacking is a method used by attackers to trick a user into clicking a hidden or invisible ‘button’ that can lead to an exploit page or even a bank transaction. ClearClick is the only protection for this currently implemented.

CSRF Protection – CSRF is harder to explain. It attacks from the users end of the system so it can do things like get into your email account and bypass protections because it all originates from ‘you.’

MITM Protection – Man In The Middle attacks happen when, simply, the attacker is between you and the server. SSL is the typical solution but you can spoof certs and hijack even SSL communications or just attack mixed content transmissions. NoScript implements multiple protections here.

So, there you have it. Even with Scripts Globally Allowed NoScript is going to make your Firefox much more secure.

HTTPS-Everywhere

HTTPS-Everywhere is an extension developed by the EFF (Electronic Frontier Foundation) that aims to force HTTPS on all sites that make it available.

Many sites, like wordpress, offer HTTPS but don’t default to it. HTTPS-Everywhere will block and redirect requests so that you end up using the HTTPS version.

HTTPS means that the traffic between you and the server is encrypted. That means that no one besides you and the server gets to read or manipulate the data.

This prevents MITM attacks that can be used to sniff passwords or even compromise the machine by redirecting your request to an exploit page.

Convergence

Convergence is an extension that aims to solve many of the issues we see today with SSL and MITM attacks.

Check out this explanation on it here.

It hasn’t been updated in ages, and I’m not even sure if it’s supported anymore, so take this tip with a grain of salt – results may vary.

AppArmor (Linux Only)

I’ve written a guide for AppArmor already but I’d like to highlight that Ubuntu comes with a Firefox profile by default. It probably needs a bit of tweaking but if you follow the guide it’s easy to set up.

To set your apparmor profile to enforce simply enter:

# aa-enforce /etc/apparmor.d/usr.bin.firefox

Afterwords your Firefox will be held in a tight sandbox, which will prevent and contain exploits.

Use PDF.JS

Adobe Reader is one of the most commonly exploited applications and although it has improved you may want to check out PDF.JS.

You can use this simple extension to install it and Firefox will handle PDF through Javascript.

You can read more about PDF.js here.

PDF.js is arguably less secure than Adobe Reader as Reader will run within a sandbox. The goal of PDF.js is to reduce attack surface by having PDFs rendered by the Javascript engine already present in Firefox.

Remember

Always make sure to keep Firefox and all of its plugins up to date. This is critical on Windows where out of date plugins consistently lead to compromise.

And Please…

Firefox is not my default browser and hasn’t been for over a year now. If you know of any other methods for securing it please leave me a comment and I’ll try to fit it in. Thanks.