Monday, March 31, 2008

When FireFox 2.0 Meets with JavaScript

Just come across a Firefox extension, called FFsniFF. This is a NOT a password sniffer which can sniff password. See the reference links below for more information.

The question here is not whether it is a password sniffer or not, it is about how do I get rid of it once I installed since it is hidden from the FF Extension Manager? Chicken and egg problem.

Finally, I've no choice but to do it manually. Here's how I remove/disable it manually:
  1. Close your FF blowser and locate your FF user profile folder. Eg: %APPDATA%\Mozilla\Firefox\Mozilla\Profiles\[User Profile]\[random string].default\
  2. Go into subfolder "extensions\{66cdf40a-d0f2-46d0-abf4-eccba8205aef}\chrome". You should see a file called "ffsniff.jar"
  3. Find an unpacker (Eg. 7-zip) to unpack the "ffsniff.jar".
  4. Once unpack, go into "content\ffsniff\" folder and look for a file called "ffsniffOverlay.js".
  5. Edit the file with notepad. Goto the bottom (line 119), remark the line "hide_me();" with two slashes "//" (without the quote) in front.
  6. Save and close the file and put everything back to "ffsniff.jar".
  7. Start your FF broswer now and goto the Extension Manager, you should be able to see the extension called "FFsniFF 0.2".
  8. Now you can disable it.
Reference links:
  • Disable FFsniFF Manually - J.Track
  • http://jtrack.blogspot.com/2008/03/disable-ffsniff-manually.html
  • FFsniFF Homepage
  • http://azurit.gigahosting.cz/ffsniff/
  • http://azurit.elbiahosting.sk/ffsniff/
  • Vulnerability Summary CVE-2006-6585
  • http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6585
  • SecurityFocus
  • http://www.securityfocus.com/archive/1/archive/1/454058/100/0/threaded

Tuesday, March 11, 2008

Image File Execution Options

This is an old and interesting trick. See the reference below.

The "Image File Execution Options" is a registry key used to setup for debugger. To do so:
  1. Start regedit.exe
  2. Goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  3. Create a key for your executable file. Eg. test.exe
  4. Create a new string entry under the key you created called "Debugger" and put full path to your debugger as the value.
From now on, every time you execute "test.exe", the system will start the debugger with "test.exe" as the first parameter.

Start to smell something? Can we replace a well-known executable file with something malicious? For example, create a key for an antivirus and debugged by a malware.

Yes, you can. In fact it is a very common trick used by some malware to disable the well-known antivirus application. The main reason why this trick works is because Windows never verify that the debugger is truly a debugger.

Mark Russinovich and Bryce Cogswell use this technique to implement the "Replace Task Manager" feature of their Process Explorer utility. Get Process Explorer, enable the option in the "Options" menu, and check HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe - the debugger value points to procexp.exe.

What if I've two executable files pointing each other as debugger, like calc.exe and notepad.exe? What will happen then? Try yourself with this sample registry script:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe]
"Debugger"="c:\windows\notepad.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe]
"Debugger"="c:\windows\system32\calc.exe"

Some MSDN references:
  • Junfeng Zhang's Windows Programming Notes at http://blogs.msdn.com/junfeng/archive/2004/04/28/121871.aspx
  • greggm's weblog at http://blogs.msdn.com/greggm/archive/2005/02/21/377663.aspx
  • Image File Execution Options: Good, Evil, Fun at http://mygreenpaste.blogspot.com/2005/07/image-file-execution-options-good-evil.html
  • Abusing "Image File Execution Options" at http://isc.sans.org/diary.html?storyid=4039