Blog 

Background

My weekend hacking project was spurred from a discussion I had with one of my colleagues at work about the current status of the poorly implemented packaged implementation of Mozilla Firefox in our enterprise environment; while our current solution works (sort of) the main issue we face mostly stem from the lack of support Firefox has for Group Policy (not that we have that implemented in our environment yet anyway), to other issues faced with silently deploying the application to end users via the SCCM console, while we are adamant this can be tweaked with further research and development, as previously stated "lol, ain't nobody got time for dat!"

Further to my own research at home, I soon discovered it's not a well-documented process across the internet and searching through thread after thread of useless garbage (I'm looking at you google groups) I soon came to the conclusion that some of the features, settings and customization sought out by sysops and network administrators either aren't implemented in Firefox or there is no option to change them via command line. - Administrators love this kind of stuff because it means we don't have to babysit end users during system migrations.

This also probably explains why Firefox is not well supported by organizations and in normal corporate enterprise environments.

So as someone who is always wanting to un-ameliorate the current state of things I fired-up that XP Virtual machine I prepared in a previous rant and set about glue-boxing and hacking the shit out of Firefox until I got what I wanted out of it.

The Script

First things first, I wanted to implement a client-side mechanism for when an end user changes their password in the AD (Active Directory) it could automatically update saved credentials in the end users Firefox user profile on their local machine, similar to how Internet Explorer can be configured for automatic logon (in to domain\organizations sites) by using Group Policy if the computer is connected to a domain.

As it stands I haven't quite yet figured out how to parse freshly updated domain credentials to the client on the local machine, even if for the moment the end user has to populate a field, - I could generate a dialog box in the PowerShell script with system.Windows.Forms.Form, - my colleague was actually in the process of developing a change password dialog field using a .hta script when you change your password using Ctrl-Alt-Del in the domain environment, but anyway all this is a proof of concept.

(NSS) Network Security Services and How FireFox Stores passwords

My research on the internet [1] [2] lead me to a file (on the Windows operating system) called: logins.json, stored in file: %AppData%\Roaming\Mozilla\Firefox\Profiles\[random string].default\

This file contains all currant encrypted username and passwords that the user has saved in to the browser when prompted to by Firefox "remember password dialog" in .JSON syntax.

So, if I could figure out a way to encrypt the user's username and password I could simply either add or update the entry for each site\subdomain for our organization in this file. - This feeds into an argument that I have been having with other teams about Single sign-on vs Single sign-in as many of the subdomains for different systems in our environment all use the same set of credentials across these sites so at the moment changing passwords in our environment is a painful exercise, there are plans of implementing a unified portal, however.

As it turns out, it is far easier to simply decrypt these usernames and passwords then it is to encrypt them. [3] [4] [5] and there are numerus utilities on the internet that will allow you to view them. [1] [6] I went with the open-source python script firefox_decrypt.py Α], installing the Python runtime library on the VM was relatively straight forward.

My logic then became if I could load up a set of credentials into Firefox and then use the decrypted to view them, since the script was open-source I might be able to reverse it to encrypt new usernames and password parsed to it; this unfortunately wasn't so straight forward.

Time for a different approach, I pulled out the extension API and wrote a small plugin (with some code stolen from Mozilla Developers Network Security Services page) - the goal of this Kludge script was to simply create a new set of credentials (temporarily) add them to a login.json file, from there I could use something like PowerShell to alter the login.json file.

The image above is a POC and requires further explanation. - to the left we see the code, a simple encrypt and add username and password to the login.json file function. - it was at this point I realised that this probably wasn't such a great idea, - in order to parse credentials over to the login.json file they first need to be stored (temporarily) in an unencrypted plain text script file which is a no-no in the security world, either way it worked (for now).

On the right we see the target VM where I have tested this script (so I can confirm that it does in fact work).

Since this script is called from a Windows batch script, I wanted to see if I could then parse it arguments via command line, similar to how the RunAs command works in windows (with the password added to the command line), not surprisingly, this didn't work.

Conclusion

I think the next step forward would be to return to that python script, and instead re-implement it in PowerShell and rather than decrypt it, encrypt it, but this whole experience shed some light into just how unsafe storing passwords in Firefox can be.

Reference

1, [Firefox Password Viewer : Free Tool to Recover Lost or Forgotten Website login passwords from Firefox browser | www.SecurityXploded.com: ], (http://securityxploded.com/firepasswordviewer.php)

2, [Where are my logins stored? | Firefox Help:], (https://support.mozilla.org/en-US/kb/where-are-my-logins-stored)

3, [GitHub - Unode/firefox_decrypt: Firefox Decrypt is a tool to extract passwords from Firefox profiles:], (https://github.com/Unode/firefox_decrypt)

4, [Lets decrypt firefox passwords - Programming - rohitab.com - Forums:], (http://www.rohitab.com/discuss/topic/40986-lets-decrypt-firefox-passwords/)

5, [Steal Firefox Passwords using only Batch bypassing the AV. - USB Rubber Ducky - Hak5 Forums:], (https://forums.hak5.org/index.php?/topic/35953-steal-firefox-passwords-using-only-batch-bypassing-the-av/)

6, [PasswordFox - Reveal the user names/passwords stored in Firefox:],(http://www.nirsoft.net/utils/passwordfox.html)