Billy (BK) Rios » Remote Command Execution in FireFox et al

Tuesday, July 24th, 2007

Remote Command Execution in FireFox et al

**** UPDATE ****

Apparently this flaw affects Firefox users that also have IE7 (with full security patches) on their system. Just to be clear, this vulnerability is delivered through the Firefox browser, NOT IE. You simply have to have IE7 installed somewhere on your system for this to work (which is basically most WindowsXP Sp2 systems) You can read about the details HERE. So it seems once again… as my first post (HERE) about URI handling issues stated…. IE PWNS Firefox…..

On a good note… I’ve noticed that this Mozilla bug ID has been changed to RESOLVED – FIXED. That was LIGHTING FAST… I’ll be waiting for the patch to get pushed out…

**** UPDATE ****

IE has gained a LOT of attention from the way it handles registered URIs. We (Nate McFeters and I) have repeatedly mentioned that IE isn’t the only browser that has issues dealing with registered URI handlers. In fact, some of the behavior exhibited by URI handling issues by other browsers can lead to remote command execution…. some examples can be found here.

Once again…. these issues are shown using FireFox (2.0.0.5), Netscape Navigator 9, and Mozilla, but many other browsers are affected as well. It’s time to take a good look at the registered URI handlers and how browsers interact with those registered URI handlers!

Developers who intend to (or have already) registered URIs for their applications MUST UNDERSTAND that registering a URI handler exponentially increases the attack surface for that application. Please review your registered URI handling mechanisms and audit the functionality called by those URIs…

NOTE: If another program (outlook, notes…etc) has modified the registered URI handlers on your machine, these examples may not work…

Posted by xssniper | Filed in Security

http://xs-sniper.com/ Nathan McFeters

This has been tested on Mozilla’s latest version, Firefox 2.0.0.5 and latest 3.0alpha, and on Netscape Navigator 9, with the following registry settings for each of the URI’s mentioned. It could certainly be vulnerable on others, but these are all vulnerable on my test machine:

telnet:// rundll32.exe url.dll,TelnetProtocolHandler %l

news:// “%ProgramFiles%\Outlook Express\msimn.exe” /newsurl:%1

nntp:// “%ProgramFiles%\Outlook Express\msimn.exe” /newsurl:%1

snews:// “%ProgramFiles%\Outlook Express\msimn.exe” /newsurl:%1

mailto:// C:\lotus\notes\notes.exe /defini %1
http://php-ids.org .mario

Again – great work. I just updated our rules and created an own uri exploit unitest

Maybe we can chat thursday about the article we talked anbout on slackers?

Greetings,
.mario
Pingback: Attack of the URL Vulnerabilities | GNUCITIZEN
http://noscript.net Giorgio Maone

Great PoC.
As you correctly noticed, this works on Fx 2.0.0.5 but not with the 2.0.0.6 release candidates nor with the Minefield trunk builds.

The stable versions of Gecko-based browser with NoScript 1.1.6.07 installed are not vulnerable either.

Cheers
–
There’s a browser safer than Firefox… http://noscript.net
nobody

The URI actually doesn’t need to be that complex.

nntp:%00/../../../windows/system32/calc.exe”.bat

works just fine at my system. The string between %00 and ” seems to get piped to the application registered for the extension (e.g., cmd.exe for .bat).
Pingback: Antonio Trigiani w3bL0g - Informatica Virale » Blog Archive » Remote command execution su Firefox 2.0.0.5
Pingback: Techzi » Blog Archive » Mozilla flaw attack code published
Pingback: Mozilla flaw attack code published
DDE.nutpicker

It seem don’t work under mybox. Why?
http://xs-sniper.com/ Nathan McFeters

Hey there DDE.nutpicker, use the DUH tool, which you can find at http://erik.cabetas.com/?p=stuff. Send the results to me at nate.mcfeters@gmail.com and I’ll see if I can help you.

Point of the matter is, the issue is completely dependent upon what is installed on your system, just like most every exploit out there.
http://www.gucio.org Gucio

New bug in Firefox, eh.
Pingback: Security Tips » Firefox Fixes FileType Flaw
Pingback: Mozilla flaw attack code published « TechTitans™
Pingback: » Protocol abuse adds to Firefox, Windows security woes | Ryan Naraine’s Zero Day | ZDNet.com
Pingback: The Protocol Handler Saga Continues: Say What Secunia? - Jesper's Blog
Pingback: Mozilla patches Firefox URI flaw - Hacking-News.com
Pingback: Firefox vulnerable… no filtra bien algunos URIs :
Pingback: Firefox 2.0 e IE7 soffrono dello stesso bug « Re Riccardo
Pingback: [SSD] Security & Development Blog » Mozilla Firefox: Vulnerabilidad en filtrado de URIs
Pingback: Security Alert for Firefox 2.0.0.5 « The geeky freaky world …
http://calipan.blogspot.com civergeek

°O_o!
******……………….OMG…………*****
Bueno la verdad es que siempre ha existido este bug pero no se habia usado como lo expones,……….. realmente es preocupante pues esto podria ser la bulneravilidad mas importante en el firefox a la fecha.

Esperemos y este resuelto en la proxima vercion del Firefox.
Jeroen Roland

I have destory all reg key HKEY_CLASSES_ROOT\ telnet , news , nntp , snews, mailto. And i have wite URLMON.DLL delete key _blank and URL.dll delete telnet write UltraEditor. I don´t used CMD.exe i hav it delete, don´t uses IE browser. But how destory i my IE borser i can not delete browseui.dll . I browseui.dll disable my IE5 browser!
Pingback: » Firefox vs Internet Explorer - URI Handling Command Execution Vulnerability en HCastelli
Pingback: Blog do Márcio d’Ávila » Firefox 2.0.0.6 bloqueia falha em Windows XP/2003
Pingback: The Protocol Handler Saga Continues: Say What Secunia? - Jesper's Blog
Pingback: VulnAware.com » VU#783400:Mozilla Firefox URI filtering vulnerability
Pingback: hackademix.net » IE's "Non-Bug" Can Cost Your (Second)Life
http:%00../../../../windows/system32/calc.execmd IE bug

nice bug.
http:%00../../../../windows/system32/calc.exe”cmd
Kapila Rattan

Hi,
I was going through your blog regarding the vulnerability. It would be a great help if u could tell me what registry settings need to be done for the exploit running.
Pingback: Technology latest news » Blog Archive » Researcher Publishes Attack Code for Mozilla Flaw (PC World)
Pingback: Technology latest news » Blog Archive » Mozilla flaw attack code published (InfoWorld)
Pingback: Zero Day mobile edition
http://musot.com/ JusyUnons

xs-sniper.com – now in my rss reader)))