Tuesday, July 17, 2007

Firefoxurl URI Handler Flaw

When certain versions of Firefox are installed, the Firefoxurl URI handler is registered in the Windows Registry.  I'm sure everyone has seen the various PoCs where Internet Explorer basically forces Firefox to execute an arbitrary command using the Firefoxurl URI... its pretty cool.  Although I reported this to Mozilla shortly before Thor released his PoC on his blog page, my research was based off his original Safari exploit, so I think he should get full credz for this one!  


Now... a few people have asked me whether I consider this an IE flaw or a
Firefox flaw... and the answer is BOTH.  Problems with URI handlers will not be fixed until BOTH the browser (in this case, IE) and the registered application (in this case, FF) change how URI handlers are used.  Before you start accusing me of fence sitting, let me explain my stance and maybe give you some insight as to why I feel this way.

  1. IE doesn't properly sanitize parameters passed to URI handlers.  There are a lot of different exploits that can be pulled off because of this lack of sanitization... everyone knows about the Firefoxurl example, but did you know about Netscape Navigator, or Trillian?  Bad IE...

  2. Firefox registers the URI handler in the Windows registry.  None of this would even be possible if Firefox didn't register their URI handler.   Know that when you register a URI handler in Windows, that URI can (and will) be remotely called by web pages through the browser (including IE).  Maybe the Firefox devs should have known a little more about how URI handlers are called before they registered their URI on my machine.  Bad Firefox...


This is just the tip of the iceberg... really.  Some colleagues and I have been looking into URI handler vulnerabilities for quite some time now and I can tell you this.... IE isn't the only browser that has problems sanitizing parameters passed to URI handlers... remote command execution can be initiated from other browsers as well.  To make matters worse, EVEN IF the browser did its job and sanitized malicious characters, URI handlers can still allow attackers to pass argument values to applications on YOUR system.  If there are flaws in the software that registered the URI, you are still vulnerable (as evidenced by the 2nd Trillian exploit). URI Handlers should be used with caution, browsers should sanitize, devs should understand the dangers of URI handlers before registering them, and anything dealing with URI handlers should be audited on a regular basis (as registering URI handlers greatly increases your attack surface)....more URI handler vulnerabilities to come... stay tuned.  In the meantime, here's a whitepaper about various URI uses and Abuses.

4 comments:

  1. Yes, I think that the final paragraph here is the real crux of the issue. Everyone's pointing fingers, asking who's fault it is. It's everyones. Two things here:

    1.) IE and other browsers which don't properly sanitize what is sent thru the URI's to back-end applications (and IE is not the only one), putting users at risk to command line argument injection and possibly worse.
    2.) Application developers CHOOSE to create their own URI's for whatever purposes they intend them for. I've been trying to figure out reasons why developers use them, seems quite a mix... installation, registration, interaction, etc. BUT the main point is that the developers have CHOSEN to FORCE IE to pass data to their applications thru URI's. This is especially damning for applications that have switches that provide a lot of functionality, like FireFox and Netscape Navigator's -chrome flag for instance.

    Let's just everyone keep pointing fingers and we'll see where the blame lies after DEFCON. Otherwise, let's get to cracking and fix these bugs and be responsible about the choices we make when programming our applications. Let's get one thing straight, Microsoft didn't FORCE anyone to use URI's.

    ReplyDelete
  2. This is just a windows-only problem, isn't it?
    (Isn't it worth mentioning these things? Firefox does indeed run on other platforms, you know.)

    ReplyDelete