Friday, July 20, 2007

More URI Stuff... (IE's Resouce URI)

The resource (res://) protocol is built into Internet Explorer 4.0 and later. Typically, the resource protocol is used to pull resources like images, html, xsl... etc from DLLs and executables. You've probably seen the resource protocol in use and didn't even realize it (take a look at the properties for the images on a typical IE error page). The resource URI (like other URIs) has access to software on YOUR local file system. So, it's possible to call the resource URI from a remote web page, use the resource URI to check for the presence of certain executables and DLLs, then report back to a remote server whether that file exists or not. So in essence, an attacker can use the resource URI to:

  • Enumerate the software on your machine

  • In many cases, determine the exact version of software enumerated

  • Use the enumerated software list to target specific exploits and attacks


The software doesn't have to be "installed" for this to work... simply having the executable on your system can also allow for enumeration. I've posted a proof of concept HERE. The PoC should work for pretty much all versions of IE (including IE7).  If you want more information about using the resource URI, check out our paper - URI Use and Abuse.


Now, before Firefox users start snickering, Firefox had a similar issue which was fixed recently. Their issue involved the "resource:" URI supported by Firefox browsers. Besides... FireFox has other URI handling vulnerabilities they should be worried about....
Posted by at
Labels:

13 comments:

  1. Davide DenicoloJuly 21, 2007 at 4:44 AM

    The problem still exists in Firefox but in my IE v 6.0.2800.1106 SP1 it doesn't appear

    ReplyDelete
  2. The BC Blog » Blog Archive » We Know What Programs You Have on Your ComputerJuly 21, 2007 at 6:39 PM

    [...] (BK) Rios posted this information on his blog and we thought it would be a good idea to make sure people know about [...]

    ReplyDelete
  3. GhostyJuly 25, 2007 at 9:40 AM

    I tired your POC and none of the programs it listed was on my machine. 2 were there, but have been gone for months lol. Nice POC none the less!

    ReplyDelete
  4. eirikJuly 25, 2007 at 6:53 PM

    wicked, works perfectly.

    ReplyDelete
  5. Interview with XS-Snipers | GNUCITIZENJuly 27, 2007 at 2:01 AM

    [...] res - http://xs-sniper.com/blog/2007/07/20/more-uri-stuff-ies-resouce-uri/ [...]

    ReplyDelete
  6. National Vulnerability Database (CVE-2007-4848) - Microsoft Internet Explorer 4.0 through 7 allows remote attackers to determine the existence of local files - Chris Mosby at myITforum.comSeptember 13, 2007 at 6:31 AM

    [...] External Source: (disclaimer) [...]

    ReplyDelete
  7. mawSeptember 26, 2007 at 1:05 PM

    Nice PoC... definitely revealed some of my apps and 'tools'. Just discovered your site and will continue to read your papers, keep up the good work.

    ReplyDelete
  8. How Sophisticated are Targeted Malware Attacks? | Loan ToolZMarch 29, 2011 at 2:06 AM

    [...] This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007. Rios explains that the res:// protocol, which was built into Internet Explorer since [...]

    ReplyDelete
  9. How Sophisticated are Targeted Malware Attacks? | Simply SecurityMarch 29, 2011 at 2:23 AM

    [...] This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007. Rios explains that the res:// protocol, which was built into Internet Explorer since [...]

    ReplyDelete
  10. Trend Micro Asia Pacific News Library - How Sophisticated are Targeted Malware Attacks?March 29, 2011 at 2:42 PM

    [...] This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007. Rios explains that the res:// protocol, which was built into Internet Explorer since [...]

    ReplyDelete
  11. ste williams » UC Gov Gmail Phishers Stalked Victims for MonthsJune 3, 2011 at 12:52 AM

    [...] web-based scripts that caused earlier versions of Microsoft’s Internet Explorer browser to divulge detailed information about the software used by the compromised account [...]

    ReplyDelete
  12. Admin: Gmail phishers stalked victims for months | CYBERSEECUREJune 3, 2011 at 1:06 AM

    [...] web-based scripts that caused earlier versions of Microsoft’s Internet Explorer browser to divulge detailed information about the software used by the compromised account [...]

    ReplyDelete
  13. How Sophisticated are Targeted Malware Attacks? | Malware Blog | Trend MicroJune 27, 2011 at 2:22 PM

    [...] This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007. Rios explains that the res:// protocol, which was built into Internet Explorer since [...]

    ReplyDelete

Subscribe to: Post Comments (Atom)