Comments on: Attack of the URL Vulnerabilities

By: pdp

pdp — Thu, 26 Jul 2007 06:43:25 +0000

Jordan, thanks for the good research. yes, it is very interesting. Have you taken snapshots of the registry tree for each setup? because now we can detect what’s the cause of it. I have some very wild guess but it is good to have some proof. cheers

By: Jordan

Jordan — Thu, 26 Jul 2007 02:31:19 +0000

Looks like I’m not the only person to observe that:

https://bugzilla.mozilla.org/show_bug.cgi?id=389580#c6

By: Jordan

Jordan — Thu, 26 Jul 2007 01:02:18 +0000

pdp — I realize that, but there’s something else going on. Check this out to see what I mean:

XPSP2 with no patches + Firefox = Exploit fails
XPSP2 with all patches (sans IE7) + Firefox = Exploit fails
XPSP2 with all patches (including IE7) + Firefox = Exploit succeeds!
XPSP2 with no patches + Firefox + Thunderbird installed and configured = Exploit fails
XPSP2 with no patches except for IE7 + Firefox + Thunderbird = Exploit succeeds!

I’ve tried other combinations besides those, and the only way I can get the exploit to succeed is if IE7 is installed. If anyone’s able to get the exploit working without IE7 installed, I’d be really curious to know.

By: pdp

pdp — Wed, 25 Jul 2007 20:38:34 +0000

Jordan, again, it depends on the URL handler for the mailto: protocol.

Adrian, yes, yes and yes.

By: Adrian Pastor

Adrian Pastor — Wed, 25 Jul 2007 19:28:50 +0000

It’s very worrying how easy it is to exploit this vulnerability and how well it works.

I must research these URI handler bugs!

By: Jordan

Jordan — Wed, 25 Jul 2007 19:26:11 +0000

Ok, just ran it a second time after reverting the snapshot, and sure enough — a base SP2 machine is /not/ vulnerable for some reason. Got the regmon logs, but I don’t have the time to parse through them right now.

Here’s a zip with a screenshot showing the exploit fail, regmon logs of the exploit both failing and then succeeding on the same machine just with and without patches:

http://www.psifertex.com/downl.....ection.zip

Maybe someone else can figure it out while I get back to pretending to work on this other project here at my office. ;-)

By: Jordan

Jordan — Wed, 25 Jul 2007 19:00:42 +0000

pdp — there’s something else involved in the process that’s disrupting it.

I just grabbed all the updates for the SP2 machine, and /now/ the exploit works. Outlook Express is still registered as the mailto handler just like it was before I grabbed the updates.

So in short, install a standard SP2 machine. Exploit fails. Install latest security patches. Exploit succeeds.

Lemme verify it again and use regmon to trace the registry calls to see if I can find out what’s different.

By: pdp

pdp — Wed, 25 Jul 2007 18:48:50 +0000

Jordan, the vector does not work if you have Outlook as a default mailto: handler. If your default Mail client is Thunderbird, then you shouldn’t have any problem with launching the attack. BTW, try using other protocols. It works like a charm.

By: Jordan

Jordan — Wed, 25 Jul 2007 18:39:39 +0000

Odd — I’ve been trying to test this in a base XP image, with no luck. Does it really require SP2 to work? That’d be kind of ironic. Outlook Express is the default registered mail handler for mailto: on the test system I just installed into vmware. I’m going through the upgrades now, testing it at each step to see at what point it becomes vulnerable.

By: Larholm.com - Me, myself and I » Handling URL protocol handlers

Larholm.com - Me, myself and I » Handling URL protocol handlers — Wed, 25 Jul 2007 18:01:57 +0000

[...] Jesper Johanson has expressed his thoughts, as has David LeBlanc, Billy Rios, Window Snyder and pdp. Billy Rios just detailed yet another potential attack vector for protocol [...]

By: pdp

pdp — Wed, 25 Jul 2007 13:08:24 +0000

good, cuz I am not saying anything either :)

By: Giorgio Maone

Giorgio Maone — Wed, 25 Jul 2007 13:07:11 +0000

I’m won’t say anything ;)
http://noscript.net/changelog#1.1.6.07