Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

Finding browser extensions in osquery [with Video]

There have been several cases in the past year of major software vendors inadvertently introducing vulnerabilities through browser extensions. Last August, it was reported that 4.7M Chrome users were at risk due to malicious code injected into eight different Chrome extensions. This past November, Cisco's Webex extension - a widely adopted video conferencing platform - was found to have multiple vulnerabilities. 

Finding Webex Browser Extension in osquery

Browser extension make a good vehicle for attackers as they often run with full user permissions. Additionally, in smaller organizations, employees are often allowed to install whatever browser extensions they want with little to no oversight. It is easy to see why you'd want to have a quick and reliable way to check on browser extensions. 

Locating the versions of software installed across your organization isn't so hard, but getting to the browser extensions requires more legwork, whether checking machines manually or with a script. Thankfully, finding browser extensions in osquery is fast and pretty easy because there are tables for Chrome, Safari, Opera and Firefox extensions. 

You can continue to follow this post for steps on how to find a browser extension in osquery for a single machine as well as at scale OR if you hate reading, scroll to the end or click the link below to watch a video instead. 

Go Watch Video

Ahhh good, we've got a reader on our hands. 

We'll use the Cisco Webex scenario as an example of how to find browser extensions using osquery. The Webex plugin did not affect all operating systems, but investigating it can still serve as a good example of how easy it is to identify browser extensions on Macs and Linux workstations using osquery.

Finding browser extensions in osquery... one machine at a time 

Osquery, by its nature, lets you ask a question and receive a response from a single specified endpoint. I've opened up osqueryi on my mac to search for the Chrome extension. 

$ osqueryi
Using a virtual database. Need help, type '.help'
osquery> 

Then, I look at the osquery table for chrome extensions, refining it to specifically return extensions containing %Cisco%.

osquery> select name, version from chrome_extensions 
where name like "%Cisco%";
+-----------------------+---------+
| name                  | version |
+-----------------------+---------+
| Cisco WebEx Extension | 1.0.12  |
+-----------------------+---------+
osquery>

 If you are running Firefox, query: 

select name, version from firefox_addons
where name like "%Cisco%";

With this we’re able to verify the version on a single machine, but what if you want to take this from a neat trick on your local machine to an actual report on the state of your OS X machines across your enterprise for this vulnerability?

Finding browser extensions in osquery for your entire enterprise

While osquery will let you query one machine, commercial grade solutions (transparency alert...I work for Uptycs and this is part of what we do) will let you run this query and uncover vulnerable browser extensions across every machine in your organization - all in the matter of minutes! No waiting for a signature to be updated in a definition or IOC package, you just create the SQL yourself and you have your answer. Here's how to find browser extensions in osquery at scale.

By default, osquery is going to run the query you pass to it in the context of the user it is running as — in the case of me on my local machine, it’s my account. So I see my web extensions.

But what if you are running osquery as a daemon, and ask the question of that osquery?

You’re going to miss the extensions of the various users on that host, because without more context, osquery is only going to look at the extensions for the user the daemon runs as. So, we got a little creative.

osquery also has a users table! We want to make sure that we are looking for all users on a given host, when we ask our question “at scale.” Taking the above query, I’m going to effectively join it with user ids from the users tables. There are several ways to do this in SQL, here’s one:

SELECT uid, name, version
FROM chrome_extensions
WHERE chrome_extensions.uid IN (SELECT uid FROM users)
AND name LIKE '%Cisco%';

Of course, running this on my same laptop, I get the same results, because I only have one user with chrome installed — but if there were multiple users with chrome and this extension installed, I would get more than one. The results table here now shows the user id (UID) as well as the installed version of the Cisco WebEx extension.

+-----+-----------------------+---------+
| uid | name                  | version |
+-----+-----------------------+---------+
| 501 | Cisco WebEx Extension | 1.0.12  |
+-----+-----------------------+---------+

There you have it. Two ways that make finding browser extensions in osquery fast and easy. Watch the video below to walkthrough additional examples and learn more.