Tuesday, July 24th, 2007

Remote Command Execution in FireFox et al

**** UPDATE ****

Apparently this flaw affects Firefox users that also have IE7 (with full security patches) on their system.  Just to be clear, this vulnerability is delivered through the Firefox browser, NOT IE.  You simply have to have IE7 installed somewhere on your system for this to work (which is basically most WindowsXP Sp2 systems)  You can read about the details HERE.   So it seems once again… as my first post (HERE) about URI handling issues stated…. IE PWNS Firefox…..

  

On a good note… I’ve noticed that this Mozilla bug ID has been changed to RESOLVED – FIXED.  That was LIGHTING FAST…  I’ll be waiting for the patch to get pushed out…

**** UPDATE ****

   

IE has gained a LOT of attention from the way it handles registered URIs.  We (Nate McFeters and I) have repeatedly mentioned that IE isn’t the only browser that has issues dealing with registered URI handlers.  In fact, some of the behavior exhibited by URI handling issues by other browsers can lead to remote command execution…. some examples can be found here.

  

Once again….  these issues are shown using FireFox (2.0.0.5), Netscape Navigator 9, and Mozilla, but many other browsers are affected as well.  It’s time to take a good look at the registered URI handlers and how browsers interact with those registered URI handlers!

    

Developers who intend to (or have already) registered URIs for their applications MUST UNDERSTAND that registering a URI handler exponentially increases the attack surface for that application.  Please review your registered URI handling mechanisms and audit the functionality called by those URIs…

   

NOTE:  If another program (outlook, notes…etc) has modified the registered URI handlers on your machine, these examples may not work…

Posted by xssniper | Filed in Security


34 Responses to “Remote Command Execution in FireFox et al”

  1. July 24th, 2007 at 3:49 pm

    Nathan McFeters said:

    This has been tested on Mozilla’s latest version, Firefox 2.0.0.5 and latest 3.0alpha, and on Netscape Navigator 9, with the following registry settings for each of the URI’s mentioned. It could certainly be vulnerable on others, but these are all vulnerable on my test machine:

    telnet:// rundll32.exe url.dll,TelnetProtocolHandler %l

    news:// “%ProgramFiles%\Outlook Express\msimn.exe” /newsurl:%1

    nntp:// “%ProgramFiles%\Outlook Express\msimn.exe” /newsurl:%1

    snews:// “%ProgramFiles%\Outlook Express\msimn.exe” /newsurl:%1

    mailto:// C:\lotus\notes\notes.exe /defini %1

  2. July 24th, 2007 at 4:10 pm

    .mario said:

    Again – great work. I just updated our rules and created an own uri exploit unitest ;)

    Maybe we can chat thursday about the article we talked anbout on slackers?

    Greetings,
    .mario

  3. July 25th, 2007 at 3:53 am

    Attack of the URL Vulnerabilities | GNUCITIZEN said:

    [...] GC (us), Thor Larholm’s blog, Mozilla’s Security Blog, the 0×000000 hack zine and Billy (BK) Rios‘ personal blog. This time, the bug is extremely dangerous. Fortunately, the issue was fixed [...]

  4. July 25th, 2007 at 4:23 am

    Giorgio Maone said:

    Great PoC.
    As you correctly noticed, this works on Fx 2.0.0.5 but not with the 2.0.0.6 release candidates nor with the Minefield trunk builds.

    The stable versions of Gecko-based browser with NoScript 1.1.6.07 installed are not vulnerable either.

    Cheers

    There’s a browser safer than Firefox… http://noscript.net

  5. July 25th, 2007 at 7:04 am

    nobody said:

    The URI actually doesn’t need to be that complex.

    nntp:%00/../../../windows/system32/calc.exe”.bat

    works just fine at my system. The string between %00 and ” seems to get piped to the application registered for the extension (e.g., cmd.exe for .bat).

  6. July 25th, 2007 at 8:19 am

    Antonio Trigiani w3bL0g - Informatica Virale » Blog Archive » Remote command execution su Firefox 2.0.0.5 said:

    [...] xs-niper.com Segnala su Segnala su:  |   |   |  [...]

  7. July 25th, 2007 at 5:06 pm

    Techzi » Blog Archive » Mozilla flaw attack code published said:

    [...] second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign and Ernst & Young [...]

  8. July 25th, 2007 at 5:08 pm

    Mozilla flaw attack code published said:

    [...] second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign and Ernst & Young [...]

  9. July 25th, 2007 at 10:29 pm

    DDE.nutpicker said:

    It seem don’t work under mybox. Why?

  10. July 26th, 2007 at 12:16 am

    Nathan McFeters said:

    Hey there DDE.nutpicker, use the DUH tool, which you can find at http://erik.cabetas.com/?p=stuff. Send the results to me at nate.mcfeters@gmail.com and I’ll see if I can help you.

    Point of the matter is, the issue is completely dependent upon what is installed on your system, just like most every exploit out there.

  11. July 26th, 2007 at 1:45 am

    Gucio said:

    New bug in Firefox, eh.

  12. July 26th, 2007 at 7:10 am

    Security Tips » Firefox Fixes FileType Flaw said:

    [...] “Developers who intend to (or have already) registered URIs for their applications MUST UNDERSTAND that registering a URI handler exponentially increases the attack surface for that application,” Billy (BK) Rios and Nate McFeters said on their blog. [...]

  13. July 26th, 2007 at 9:21 am

    Mozilla flaw attack code published « TechTitans™ said:

    [...] second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign and Ernst & Young [...]

  14. July 26th, 2007 at 10:30 am

    » Protocol abuse adds to Firefox, Windows security woes | Ryan Naraine’s Zero Day | ZDNet.com said:

    [...] network streams using an application layer firewall or IPS may mitigate this vulnerability. See the xs-sniper blog for more information about known vulnerable URIs. Note that an attacker may obsfucate URIs in a way [...]

  15. July 26th, 2007 at 6:09 pm

    The Protocol Handler Saga Continues: Say What Secunia? - Jesper's Blog said:

    [...] Protocol Handler Saga is rapidly becoming a religious war. The latest entry is related to a very cool exploit that Billy Rios published on Tuesday. Unfortunately, he failed to give Mozilla a chance to fix the problem before [...]

  16. July 27th, 2007 at 12:28 am

    Mozilla patches Firefox URI flaw - Hacking-News.com said:

    [...] registering a URI handler exponentially increases the attack surface for that application,” said Rios in his blog. “Please review your registered URI-handling mechanisms and audit the functionality called by [...]

  17. July 27th, 2007 at 4:22 am

    Firefox vulnerable… no filtra bien algunos URIs : said:

    [...] Firefox no filtra bien algunos URIs lo que puede ser una oportunidad para los hackers para hacerse con el control del [...]

  18. July 27th, 2007 at 5:28 am

    Firefox 2.0 e IE7 soffrono dello stesso bug « Re Riccardo said:

    [...] il bug di IE7 come «altamente critico» ed accredita la scoperta ed il dibattito sul problema a Billy Rios e Jesper Johansson. Secunia, inoltre, spiega che il browser è vulnerabile su Windows Server 2003 e [...]

  19. July 27th, 2007 at 9:33 am

    [SSD] Security & Development Blog » Mozilla Firefox: Vulnerabilidad en filtrado de URIs said:

    [...] Remote Command Execution in FireFox et al http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/ [...]

  20. July 28th, 2007 at 4:50 am

    Security Alert for Firefox 2.0.0.5 « The geeky freaky world … said:

    [...] http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/ http://xs-sniper.com/blog/remote-command-exec-firefox-2005/ [...]

  21. July 29th, 2007 at 10:31 pm

    civergeek said:

    °O_o!
    ******……………….OMG…………*****
    Bueno la verdad es que siempre ha existido este bug pero no se habia usado como lo expones,……….. realmente es preocupante pues esto podria ser la bulneravilidad mas importante en el firefox a la fecha.

    Esperemos y este resuelto en la proxima vercion del Firefox.

  22. July 30th, 2007 at 5:18 am

    Jeroen Roland said:

    I have destory all reg key HKEY_CLASSES_ROOT\ telnet , news , nntp , snews, mailto. And i have wite URLMON.DLL delete key _blank and URL.dll delete telnet write UltraEditor. I don´t used CMD.exe i hav it delete, don´t uses IE browser. But how destory i my IE borser i can not delete browseui.dll . I browseui.dll disable my IE5 browser!

  23. August 1st, 2007 at 5:41 am

    » Firefox vs Internet Explorer - URI Handling Command Execution Vulnerability en HCastelli said:

    [...] Después de días de idas y venidas, que es culpa de Windows (según Secunia), que es culpa de Firefox (según FrSIRT entre otros) queda claro que el bug definitivamente era de Windows. Todo empezo con estos dos advisory: Mozilla Billy (BK) Rios [...]

  24. August 1st, 2007 at 10:28 pm

    Blog do Márcio d’Ávila » Firefox 2.0.0.6 bloqueia falha em Windows XP/2003 said:

    [...] Remote Command Execution in FireFox et al, por Billy (BK) Rios, 24 julho 2007. [...]

  25. August 7th, 2007 at 9:41 pm

    The Protocol Handler Saga Continues: Say What Secunia? - Jesper's Blog said:

    [...] Protocol Handler Saga is rapidly becoming a religious war. The latest entry is related to a very cool exploit that Billy Rios and Nate McFeters published on Tuesday. Unfortunately, he failed to give Mozilla a chance to fix the problem before [...]

  26. August 8th, 2007 at 5:23 pm

    VulnAware.com » VU#783400:Mozilla Firefox URI filtering vulnerability said:

    [...] using an application layer firewall or IPS may mitigate this vulnerability. See the xs-sniper blog for more information about known vulnerable URIs. Please note that these filters may only work for [...]

  27. September 16th, 2007 at 10:26 am

    hackademix.net » IE's "Non-Bug" Can Cost Your (Second)Life said:

    [...] Firefox pwns… all the world and Mozilla recognizes the same bug that had been blamed on IE affects Firefox itself. [...]

  28. October 12th, 2007 at 2:34 am

    IE bug said:

    nice bug.
    http:%00../../../../windows/system32/calc.exe”cmd

  29. October 12th, 2007 at 5:07 am

    Kapila Rattan said:

    Hi,
    I was going through your blog regarding the vulnerability. It would be a great help if u could tell me what registry settings need to be done for the exploit running.

  30. February 28th, 2008 at 9:17 pm

    Technology latest news » Blog Archive » Researcher Publishes Attack Code for Mozilla Flaw (PC World) said:

    [...] which was the source of another bug, disclosed Tuesday by Mozilla. This second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign Inc. and Ernst & [...]

  31. February 28th, 2008 at 9:18 pm

    Technology latest news » Blog Archive » Mozilla flaw attack code published (InfoWorld) said:

    [...] second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign and Ernst & Young [...]

  32. July 3rd, 2008 at 12:11 pm

    Zero Day mobile edition said:

    [...] site.    Rios and my blogging collegue Nate McFeters have spent the better part of the last year warning about serious URI-handler security [...]

  33. January 30th, 2009 at 4:26 am

    JusyUnons said:

    xs-sniper.com – now in my rss reader)))

  34. November 20th, 2012 at 4:41 pm

    Firefox Fixes FileType Flaw | SecurityProNews said:

    [...] “Developers who intend to (or have already) registered URIs for their applications MUST UNDERSTAND that registering a URI handler exponentially increases the attack surface for that application,” Billy (BK) Rios and Nate McFeters said on their blog. [...]



Please leave a Comment