Reducing permissions on Firefox extensions

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Go down

Reducing permissions on Firefox extensions

Post by wat0114 on 29/2/2012, 01:23

There has been a topic brought up elsewhere regarding some of Firefox' add-ons occasionally "behaving badly" with a link here. I was curious so I checked under the security tab of the three add-ons I use (NoScript, Cookie Monster & LastPass) and found that the extensions do have, by default even under my Standard account, full rights (Full control, Modify, Read & execute, Read, Write) that the administrative account has! As an experiment, I removed the inherited permissions from the parent directory of NoScript and Cookie Monster, then reduced them both to only Read & execute and Read. It is early but so far I'm not seeing any problems; the extensions are working as expected with these severely reduced rights. I don't know if this will actually secure the extensions, although I think it should and will do so, because they now no longer hold the same rights as the user. Any thoughts on this?

-

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by ssj100 on 1/3/2012, 01:47

I guess one question is what can the extension do (if it did go rogue) with LUA/SUA + SRP/AppLocker in place? Even with your "tweak", I suppose it would still be able to perform read operations, and therefore be able to (maliciously) log data?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 1/3/2012, 06:07

ssj100 wrote:I guess one question is what can the extension do (if it did go rogue) with LUA/SUA + SRP/AppLocker in place?

Probably not much of anything Smile I'm just playing around, so to speak, looking at possibilities of securing things in the browser extensions in cases where a whitelist approach or similar isn't used.

Even with your "tweak", I suppose it would still be able to perform read operations, and therefore be able to (maliciously) log data?

Yes, that might indeed be possible, although I guess as a minimum read operations would be needed. I also applied m00nbl00d's low IL to Chromium approach to the FF profile directory with no ill effects thus far.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 1/3/2012, 08:35

The permissions mentioned are inherited from the user account. I don't think they're exactly related to misbehaving extensions?

I mean, I got the same in the Chromium extensions folders. That happens because the creator has full access.

I'm not sure if such permissions have any weight on the security of the extensions? Except forbid to write/execute.

I believe the real danger with Firefox extensions is the amount of privileges they have within the browser itself? Or, in other words, they have the same amount of privileges the browser has?

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 1/3/2012, 08:52

m00nbl00d wrote:The permissions mentioned are inherited from the user account. I don't think they're exactly related to misbehaving extensions?

I mean, I got the same in the Chromium extensions folders. That happens because the creator has full access.

I'm not sure if such permissions have any weight on the security of the extensions? Except forbid to write/execute.

I believe the real danger with Firefox extensions is the amount of privileges they have within the browser itself? Or, in other words, they have the same amount of privileges the browser has?

That seems to make sense, although are those permissions I applied manually to the extensions going to be superseded by the permissions of the browser? With the browser open and running for even some time, the permissions on them don't match those of the browser. They are still at their reduced state. Even so, I do wonder if this permissions reduction makes any difference at all in the browser's security. Maybe I'm just wasting time and effort applying them, but I do so just to see if it can be done without breaking anything, and if in fact they do help, then I've succeeded in my experiments Smile BTW, I used accesschk to view the integrity levels of the files in the profile directory and they are all holding at Low IL, so that has to be a good thing Very Happy

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 2/3/2012, 00:02

I remember that I used to deny write permissions to Chromium cache folder, which Chromium/Chrome place in the profile folder, and Chromium/Chrome would always restore it back.

I'd imagine the same would be done whenever the extensions are upgraded. That's something you'll have to monitor. You'll know when the extensions upgrade.

I don't think that reducing such permissions will have any effect on security, other than not allowing writing to the extension(s) folder(s). Any rogue or exploited extension still has the same amount of rights the browser has over any other file system/registry areas.

Firefox (non tweaked) has the same set of permissions you as a standard user/administrator user have, and so do the extensions. That's the real problem.

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 2/3/2012, 03:59

m00nbl00d wrote:I don't think that reducing such permissions will have any effect on security, other than not allowing writing to the extension(s) folder(s). Any rogue or exploited extension still has the same amount of rights the browser has over any other file system/registry areas.

Firefox (non tweaked) has the same set of permissions you as a standard user/administrator user have, and so do the extensions. That's the real problem.

The more I think about it, the more I agree with you. How about the Low IL i've applied to the FF profile directory? Do you feel that will increase security of the browser and extensions?

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 2/3/2012, 06:20

wat0114 wrote:
The more I think about it, the more I agree with you. How about the Low IL i've applied to the FF profile directory? Do you feel that will increase security of the browser and extensions?

You need to see it as a whole. What exactly have you applied a low integrity level to? Only to Firefox's profile? Or, have you applied a low integrity level to firefox.exe and to the file system that it needs access to? If you haven't applied a low integrity level to Firefox itself, I think applying a low integrity level to the profile ends up being nothing more than a false sense of security. I mean, the browser itself still has the same amount of permissions that you have.

Whatever is written to the profile folder, will generally inherit the parent folder low integrity level, but the browser still has access to any other file system inherited medium integrity level; if running in a standard user account or protected administrator account.

The idea is for you to apply a low integrity level to the browser itself and to the other file system area it needs access to. Doing this, you'll be effectively restricting what the browser can do; you'll be taking away permissions. It will no longer be able to write to the file system and registry areas with a medium/high integrity level. It will only be able to write to the file system and registry areas with a low integrity level; which will be practically nothing.

I'm not a Firefox user, but I believe this would be all it needs:


"C:\Program Files\Mozilla Firefox\Firefox.exe"
"C:\Users\username\AppData\Local\Mozilla"
"C:\Users\username\AppData\Roaming\Mozilla"

I've seen some mentioning they applied a low integrity level to the full Firefox program folder. I doubt it's needed.
To be able to download, then you'd need to apply a low integrity level to:


"C:\Users\username\AppData\Local\Temp"

And, also have a Downloads folder with a low integrity level.

Then, what you could do - as I did with Chromium - is not to allow writing or executing to "C:\Users\username\AppData\Local\Temp" and to the folder where the profile is; which I don't know which one(s) is/are, by using chml with the flags -nw and -nx. Laughing You can achieve that, by following the same approach I follow for Chromium.

-nw and -nx mean that any lower integrity level object/container (files, etc/folders) cannot write or execute to that folder that has a higher integrity level, with those flags applied. There's another flag, -nr, which means that nothing will be able to read from the object/container. Obviously, you'd need to allow the browser to read the profile. Laughing

You can then, of course, try and see if what I previously discussed with you over PM, regarding those other two low integrity level file system areas can be removed write permissions without affecting anything else, by using Windows own tool icacls, and deny writing to the group Everyone. I that should do it. I believe they're only used by Internet Explorer. I might be wrong, so test it in a virtual machine, if you'd like to this. Idea

It's really not that much of an annoyance, once you get used to it. It's just like having to create AppLocker rules when necessary. It may be a few seconds that you waste, but they may be precious hours that you won't be wasting any time later. Obviously, I'm not saying your system would become compromised, but you get the point. Very Happy

Now, if you want to truly let the browser interact with "C:\Users\username\AppData\Local\Temp", so that you can download without having to change the integrity level when needed - you could do it like that, and it won't be that annoying, as it becomes routine - then, I'd use chml tool and apply a low integrity level without inheritance. By doing that, you're applying a low integrity level to "C:\Users\username\AppData\Local\Temp", but not to any of its sub-folders/objects. It's less file system with a low integrity level; it will help to reduce the low integrity level world, and not let malware have its own low integrity level world.

I don't recall if it's like that, but I believe it would be chml "C:\Users\username\AppData\Local\Temp" -i:l -noinherit. It should then only apply the low integrity level to the Temp folder, but not any of its sub-folders/objects. You can easily test it, by checking chml place_a_location_within_Temp_folder and then press Enter. You should see what integrity level it has. It has the inherited medium integrity level from the user account, then it's been applied correctly.

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 2/3/2012, 06:33

Ahh okay I'm not thinking this through deeply or carefully enough confused It's not quite so simple as I thought, but not all that complicated either. Okay, I'll try all that out and let you know how it works, or doesn't work Laughing Thanks again!


wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 2/3/2012, 06:53

Think of it as effectively having a bit of Protected Mode... using only the integrity levels. Protected Mode is more than that, but integrity levels are an important part of the sandbox.

Then, we're just taking the restrictions a bit further. In a freakish style, so to speak. Twisted Evil But, if you'd like to keep it simple, leave my approach of having the profile with a medium integrity level out of the equation... Until you get the hang of it, at least... Make some testing and see what works best for you. That's all it is, in the end. Testing and see if it still works without breaking functionality. Laughing

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 2/3/2012, 07:01

m00nbl00d wrote:Think of it as effectively having a bit of Protected Mode... using only the integrity levels. Protected Mode is more than that, but integrity levels are an important part of the sandbox.

Then, we're just taking the restrictions a bit further. In a freakish style, so to speak. Twisted Evil But, if you'd like to keep it simple, leave my approach of having the profile with a medium integrity level out of the equation... Until you get the hang of it, at least... Make some testing and see what works best for you. That's all it is, in the end. Testing and see if it still works without breaking functionality. Laughing

@m00nbl00d,

it's early but I'm getting very excited already bounce after applying your suggestions with chml.exe (great little program!) This is awesome! I've never actually applied integrity levels this way with the security-enhancing effect thay have, especially really nice to see on the browser, the gateway for most viruses. Thanks so much for your help! Very Happy BTW, when I go to launch Waterfox now, I get presented with a warning that the Publisher could not be verified, but then of course i allow to proceed and Waterfox launches normally. Obviously the Low IL has affected this, but no worries because of the obvious security benefits now achieved. Thanks again! I'll let you know of any problems and if so I'll try to resolve them but looking good in the very early going.

*EDIT*

even the plug-in container is at Low IL Very Happy

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 2/3/2012, 07:24

Interesting. I don't think I've ever seen Windows presenting that same Publisher warning for Google Chrome...

I think I know why that happened. When you installed Waterfox, did you right-clicked the installer and in the Security tab clicked Unblock?

Basically, it has to do with Internet Explorer security zones. 1806 Miscellaneous: Launching applications and unsafe files

-http://support.microsoft.com/kb/182569
-http://msdn.microsoft.com/en-us/library/ms537183.aspx

This only works with NTFS. Whenever you download something, an ADS (Alternate Data Stream) is attached to the file, containing the information where the file came from - the security zone.

By default, when right-clicking a file, you'll see in the Security tab an option to Unblock. But, even if you don't unblock, you still can install.

I never really bothered to delve into it, but there seems to exist a link between that and the permissions that an object has in the system. So, when you applied the low integrity level to Waterfox, you took away permissions, which reflected in that behavior.

It's something like that.

You could test that in a virtual machine, when you get the time. Download Waterfox, but before installing it Unblock it. Then apply the low integrity level and see if you still see that Publisher warning.

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 2/3/2012, 07:40

m00nbl00d wrote:

I think I know why that happened. When you installed Waterfox, did you right-clicked the installer and in the Security tab clicked Unblock?

I don't really remember what I did during the install, but I don't think that was one of the steps. I'll do those checks you suggest, but even if I have to clear the warning each time I start Waterfox, I consider an insignificant tradeoff for the increase in security Smile

*EDIT*

wait a minute, I have some Group Policy setting enabled that checks for Publisher's signature's, so that's probably it, although i don't know why it's alerting only after the Low IL applied to Firefox.exe.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 2/3/2012, 09:21

By the way, I'd create a batch file that would install Waterfox and reapplies the low integrity level to the needed processes afterwards. The reason being that, most likely, when you upgrade it, you'll lose the low integrity level.

That's how I upgrade Chromium. The batch file places Chromium folder in Program Files, and then reapplies the integrity levels, using chml.

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 2/3/2012, 23:36

Does Firefox/Waterfox allow to redirect cache to a different folder and also specify the amount of space the cache can take? If it does, you could redirect Waterfox's cache to that folder, but apply a medium integrity level to it, so that it can't write any cache in the disk.

I'm doing that with Chromium. Cool Too bad you're using a x64 bit browser, otherwise you could use RunAsInvoker to redirect changes to Program Files/Windows and HKLM to VirtualStore. Laughing

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 3/3/2012, 06:08

m00nbl00d wrote:Does Firefox/Waterfox allow to redirect cache to a different folder and also specify the amount of space the cache can take? If it does, you could redirect Waterfox's cache to that folder, but apply a medium integrity level to it, so that it can't write any cache in the disk.

No, I checked, even in about;config, but didn't see an option.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 3/3/2012, 07:07

But, it seems it is possible to disable it altogether, though. Which is practically the same.

Chromium/Chrome doesn't allow to disable caching entirely; one needs to set a minimal value of 1MB, using the flags --disk-cache-size=1 and --media-cache-size=1

Take a look at this link for Firefox: -http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries

Look for these:

browser. cache. disk. capacity;
browser. cache. disk. enable;
browser. cache. disk. parent_directory (Would this one allow to move the cache folder?);
browser. cache. disk_cache_ssl;
browser. cache. memory. capacity;
browser. cache. memory. enable

Are these present in recent versions?

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 3/3/2012, 07:11

If you could do it, then you could create a more private profile... I suppose. Exclamation

I never experienced any issues doing this with Chromium, stability or performance wise.

And, I prefer this method over RAMdisk. There's also one extra benefit (to me) by applying a medium integrity level to Chromium profile, and the benefit is that Chromium's history is gone. Very Happy So, no caching, no history...

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 3/3/2012, 07:19

m00nbl00d wrote:

Take a look at this link for Firefox: -http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries

Look for these:

browser. cache. disk. capacity;
browser. cache. disk. enable;
browser. cache. disk. parent_directory (Would this one allow to move the cache folder?);
browser. cache. disk_cache_ssl;
browser. cache. memory. capacity;
browser. cache. memory. enable

Are these present in recent versions?

I have: 1, 2, 4, similar to 5: browser.cache.memory.max_entry_size, and 6

The third one I don't see.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 3/3/2012, 07:27

wat0114 wrote:
m00nbl00d wrote:

Take a look at this link for Firefox: -http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries

Look for these:

browser. cache. disk. capacity;
browser. cache. disk. enable;
browser. cache. disk. parent_directory (Would this one allow to move the cache folder?);
browser. cache. disk_cache_ssl;
browser. cache. memory. capacity;
browser. cache. memory. enable

Are these present in recent versions?

I have: 1, 2, 4, similar to 5: browser.cache.memory.max_entry_size, and 6

The third one I don't see.

And, can't you add that entry? According to some tweak guides it's present in Firefox 10. Either by default or they added them, I don't know.

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 3/3/2012, 07:44

m00nbl00d wrote:
And, can't you add that entry? According to some tweak guides it's present in Firefox 10. Either by default or they added them, I don't know.

I suppose I could Neutral I found the cache folder at: c:\users\user_name\appdata\local\mozilla\firefox\profiles\yldg1sxa.default\Cache

Do you think I could instead simply change the IL of the Cache folder to medium, or will it just inherit the Low IL of the Parent directory?

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 3/3/2012, 08:22

If you apply a medium integrity level to it, it should work. Just make sure you're indeed running firefox.exe with a low integrity level; otherwise, Firefox is still able to write cache.

If it doesn't, then first try to remove the low integrity level from Cache folder only, using the flag -rl. This should restore to Cache the standard's user account medium integrity level. Then apply a medium integrity level to it. I don't think you'd even need to apply an explicit medium integrity level, if you restore it... unless it would get the low integrity level back. Question

I actually don't know why I suggested moving away the Cache folder... scratch It would make sense when using multiple profiles, so they all would be trapped to the same Cache folder, where they could not write, instead of having more than one.

Anyway, hopefully you're testing this stuff in a test system first. affraid

Tomorrow I may download Firefox and see how far I can tweak it; who knows if I keep it as my second browser... Shocked

By the way, another thing you can do with chml is apply a high integrity level to the startup entries. This is something you'd need to do elevating chml.

C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs and "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Anything you install, with administrator rights still can add startup entries; just not anything lurking around in the standard user account. I've applied it, just in case something bad happes with AppLocker... silent

There's another tool by the author, regil, which allows to change registry entries integrity levels. I suppose you could also change the integrity levels of the autorun entries there.

In this case, we'd also be changing them to a high integrity level. But, in this case, we'd have to use SuRun to elevate only for the current user account; otherwise with UAC we'd be changing it for the administrator account, which is something to avoid.

I haven't used regil, yet. I'm not using SuRun. I'm sure I will when I get my new hdd, though. I don't mind the extra comfort it would provide.

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 3/3/2012, 08:41

m00nbl00d wrote:If you apply a medium integrity level to it, it should work. Just make sure you're indeed running firefox.exe with a low integrity level; otherwise, Firefox is still able to write cache.

I have tried that and verified it works using accesschk -l Firefox is running @ Low IL too. You are certainly ambitious Smile


By the way, another thing you can do with chml is apply a high integrity level to the startup entries. This is something you'd need to do elevating chml.

C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs and "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Okay, will try that too. Thanks!


wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 3/3/2012, 08:48

wat0114 wrote:
I have tried that and verified it works using accesschk -l Firefox is running @ Low IL too. You are certainly ambitious Smile

Now, just keep an eye on it... Make sure Firefox cannot, in fact, write to it. Cool

By the way, I take it that Firefox couldn't work with the profile folder @ (I'm copycatting Shocked) medium integrity level? Or, you haven't tried that? Most likely, there would be some issue or another due to the plugins you maybe using. Having the profile with a medium integrity level would be more to use in a profile, without any plugins, and due to privacy reasons other than security, though.


Okay, will try that too. Thanks!

You're welcome!

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 3/3/2012, 09:10

Strange, the Cache directory size never changes (2.91 MB, 45 files, 57 folders) 45 files even after clearing it using Tools-> Clear Recent History. I put it back to Low IL and tried again but it makes no difference??


wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Sponsored content


Sponsored content


Back to top Go down

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum