Attack Of The URL Vulnerabilities

Wed, 25 Jul 2007 09:51:28 GMT

I think that it is getting worse. Billy Rios has discovered another critical Firefox issue related to the infamous bugs that has been recently discussed on multiple blogs including GC (us), Thor Larholm's blog, Mozilla's Security Blog, the 0x000000 hack zine and Billy (BK) Rios' personal blog. This time, the bug is extremely dangerous. Fortunately, the issue was fixed in the 2.0.0.6 release candidate.

Billy (BK) Rios comments:

These examples were created for WinXP SP2 with no external mail programs installed (outlook, notes, etc). If you have an external mail program installed, these examples may not work on your machine (as the URI handling may have changed).

Once again, a flaw in the URI handling behavior allows for remote command execution. UNREGISTER ALL UNNECESSARY URIs NOW! This example shows flaws in Firefox, Netscape, and Mozilla browsers - other browsers are affected by related vulnerabilities.

Developers who intend to (or have already) registered URIs for their applications MUST UNDERSTAND that registering a URI handler exponentially increases the attack surface for that application. Please review your registered URI handling mechanisms and audit the functionality called by those URIs.

The bug is within mailto, nntp, news and snews protocol handlers. Here is a harmless demonstration of the issue: danger do not click!.

It seams like there is a huge interest in URL bug hunting. This is good. At least, we are going to get it right this time. Progressive security!

Giorgio MaoneGiorgio Maone
I'm won't say anything ;) http://noscript.net/changelog#1.1.6.07
pdppdp
good, cuz I am not saying anything either :)
JordanJordan
Odd -- I've been trying to test this in a base XP image, with no luck. Does it really require SP2 to work? That'd be kind of ironic. Outlook Express is the default registered mail handler for mailto: on the test system I just installed into vmware. I'm going through the upgrades now, testing it at each step to see at what point it becomes vulnerable.
pdppdp
Jordan, the vector does not work if you have Outlook as a default mailto: handler. If your default Mail client is Thunderbird, then you shouldn't have any problem with launching the attack. BTW, try using other protocols. It works like a charm.
JordanJordan
pdp -- there's something else involved in the process that's disrupting it. I just grabbed all the updates for the SP2 machine, and /now/ the exploit works. Outlook Express is still registered as the mailto handler just like it was before I grabbed the updates. So in short, install a standard SP2 machine. Exploit fails. Install latest security patches. Exploit succeeds. Lemme verify it again and use regmon to trace the registry calls to see if I can find out what's different.
JordanJordan
Ok, just ran it a second time after reverting the snapshot, and sure enough -- a base SP2 machine is /not/ vulnerable for some reason. Got the regmon logs, but I don't have the time to parse through them right now. Here's a zip with a screenshot showing the exploit fail, regmon logs of the exploit both failing and then succeeding on the same machine just with and without patches: http://www.psifertex.com/download/firefox-command-injection.zip Maybe someone else can figure it out while I get back to pretending to work on this other project here at my office. ;-)
Adrian PastorAdrian Pastor
It's very worrying how easy it is to exploit this vulnerability and how well it works. I must research these URI handler bugs!
pdppdp
Jordan, again, it depends on the URL handler for the mailto: protocol. Adrian, yes, yes and yes.
JordanJordan
pdp -- I realize that, but there's something else going on. Check this out to see what I mean: XPSP2 with no patches + Firefox = Exploit fails XPSP2 with all patches (sans IE7) + Firefox = Exploit fails XPSP2 with all patches (including IE7) + Firefox = Exploit succeeds! XPSP2 with no patches + Firefox + Thunderbird installed and configured = Exploit fails XPSP2 with no patches except for IE7 + Firefox + Thunderbird = Exploit succeeds! I've tried other combinations besides those, and the only way I can get the exploit to succeed is if IE7 is installed. If anyone's able to get the exploit working without IE7 installed, I'd be really curious to know.
JordanJordan
Looks like I'm not the only person to observe that: https://bugzilla.mozilla.org/show_bug.cgi?id=389580#c6
pdppdp
Jordan, thanks for the good research. yes, it is very interesting. Have you taken snapshots of the registry tree for each setup? because now we can detect what's the cause of it. I have some very wild guess but it is good to have some proof. cheers