Friday, July 20th, 2007

More URI Stuff… (IE’s Resouce URI)

The resource (res://) protocol is built into Internet Explorer 4.0 and later. Typically, the resource protocol is used to pull resources like images, html, xsl… etc from DLLs and executables. You’ve probably seen the resource protocol in use and didn’t even realize it (take a look at the properties for the images on a typical IE error page). The resource URI (like other URIs) has access to software on YOUR local file system. So, it’s possible to call the resource URI from a remote web page, use the resource URI to check for the presence of certain executables and DLLs, then report back to a remote server whether that file exists or not. So in essence, an attacker can use the resource URI to:

  • Enumerate the software on your machine
  • In many cases, determine the exact version of software enumerated
  • Use the enumerated software list to target specific exploits and attacks

The software doesn’t have to be “installed” for this to work… simply having the executable on your system can also allow for enumeration. I’ve posted a proof of concept HERE. The PoC should work for pretty much all versions of IE (including IE7).  If you want more information about using the resource URI, check out our paper – URI Use and Abuse.

Now, before Firefox users start snickering, Firefox had a similar issue which was fixed recently. Their issue involved the “resource:” URI supported by Firefox browsers. Besides… FireFox has other URI handling vulnerabilities they should be worried about….

Posted by xssniper | Filed in Security


10 Responses to “More URI Stuff… (IE’s Resouce URI)”

  1. July 21st, 2007 at 11:44 am

    Davide Denicolo said:

    The problem still exists in Firefox but in my IE v 6.0.2800.1106 SP1 it doesn’t appear

  2. July 22nd, 2007 at 1:39 am

    The BC Blog » Blog Archive » We Know What Programs You Have on Your Computer said:

    [...] (BK) Rios posted this information on his blog and we thought it would be a good idea to make sure people know about [...]

  3. July 25th, 2007 at 4:40 pm

    Ghosty said:

    I tired your POC and none of the programs it listed was on my machine. 2 were there, but have been gone for months lol. Nice POC none the less!

  4. July 26th, 2007 at 1:53 am

    eirik said:

    wicked, works perfectly.

  5. July 27th, 2007 at 9:01 am

    Interview with XS-Snipers | GNUCITIZEN said:

    [...] res – http://xs-sniper.com/blog/2007/07/20/more-uri-stuff-ies-resouce-uri/ [...]

  6. September 13th, 2007 at 1:31 pm

    National Vulnerability Database (CVE-2007-4848) - Microsoft Internet Explorer 4.0 through 7 allows remote attackers to determine the existence of local files - Chris Mosby at myITforum.com said:

    [...] External Source: (disclaimer) [...]

  7. September 26th, 2007 at 8:05 pm

    maw said:

    Nice PoC… definitely revealed some of my apps and ‘tools’. Just discovered your site and will continue to read your papers, keep up the good work.

  8. March 29th, 2011 at 9:06 am

    How Sophisticated are Targeted Malware Attacks? | Loan ToolZ said:

    [...] This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007. Rios explains that the res:// protocol, which was built into Internet Explorer since [...]

  9. March 29th, 2011 at 9:23 am

    How Sophisticated are Targeted Malware Attacks? | Simply Security said:

    [...] This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007. Rios explains that the res:// protocol, which was built into Internet Explorer since [...]

  10. March 29th, 2011 at 9:42 pm

    Trend Micro Asia Pacific News Library - How Sophisticated are Targeted Malware Attacks? said:

    [...] This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007. Rios explains that the res:// protocol, which was built into Internet Explorer since [...]



Please leave a Comment