**** UPDATE ****
Apparently this flaw affects Firefox users that also have IE7 (with full security patches) on their system. Just to be clear, this vulnerability is delivered through the Firefox browser, NOT IE. You simply have to have IE7 installed somewhere on your system for this to work (which is basically most WindowsXP Sp2 systems) You can read about the details HERE. So it seems once again... as my first post (HERE) about URI handling issues stated.... IE PWNS Firefox.....
On a good note... I've noticed that this Mozilla bug ID has been changed to RESOLVED - FIXED. That was LIGHTING FAST... I'll be waiting for the patch to get pushed out...
**** UPDATE ****
IE has gained a LOT of attention from the way it handles registered URIs. We (Nate McFeters and I) have repeatedly mentioned that IE isn't the only browser that has issues dealing with registered URI handlers. In fact, some of the behavior exhibited by URI handling issues by other browsers can lead to remote command execution.... some examples can be found here.
Once again.... these issues are shown using FireFox (2.0.0.5), Netscape Navigator 9, and Mozilla, but many other browsers are affected as well. It's time to take a good look at the registered URI handlers and how browsers interact with those registered URI handlers!
Developers who intend to (or have already) registered URIs for their applications MUST UNDERSTAND that registering a URI handler exponentially increases the attack surface for that application. Please review your registered URI handling mechanisms and audit the functionality called by those URIs...
NOTE: If another program (outlook, notes...etc) has modified the registered URI handlers on your machine, these examples may not work...
This has been tested on Mozilla's latest version, Firefox 2.0.0.5 and latest 3.0alpha, and on Netscape Navigator 9, with the following registry settings for each of the URI's mentioned. It could certainly be vulnerable on others, but these are all vulnerable on my test machine:
ReplyDeletetelnet:// rundll32.exe url.dll,TelnetProtocolHandler %l
news:// "%ProgramFiles%\Outlook Express\msimn.exe" /newsurl:%1
nntp:// "%ProgramFiles%\Outlook Express\msimn.exe" /newsurl:%1
snews:// "%ProgramFiles%\Outlook Express\msimn.exe" /newsurl:%1
mailto:// C:\lotus\notes\notes.exe /defini %1
Again - great work. I just updated our rules and created an own uri exploit unitest ;)
ReplyDeleteMaybe we can chat thursday about the article we talked anbout on slackers?
Greetings,
.mario
[...] GC (us), Thor Larholm’s blog, Mozilla’s Security Blog, the 0×000000 hack zine and Billy (BK) Rios‘ personal blog. This time, the bug is extremely dangerous. Fortunately, the issue was fixed [...]
ReplyDeleteGreat PoC.
ReplyDeleteAs you correctly noticed, this works on Fx 2.0.0.5 but not with the 2.0.0.6 release candidates nor with the Minefield trunk builds.
The stable versions of Gecko-based browser with NoScript 1.1.6.07 installed are not vulnerable either.
Cheers
--
There's a browser safer than Firefox... http://noscript.net
The URI actually doesn't need to be that complex.
ReplyDeletenntp:/../../../windows/system32/calc.exe".bat
works just fine at my system. The string between and " seems to get piped to the application registered for the extension (e.g., cmd.exe for .bat).
[...] xs-niper.com Segnala su Segnala su: | | | [...]
ReplyDelete[...] second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign and Ernst & Young [...]
ReplyDelete[...] second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign and Ernst & Young [...]
ReplyDeleteIt seem don't work under mybox. Why?
ReplyDeleteHey there DDE.nutpicker, use the DUH tool, which you can find at http://erik.cabetas.com/?p=stuff. Send the results to me at nate.mcfeters@gmail.com and I'll see if I can help you.
ReplyDeletePoint of the matter is, the issue is completely dependent upon what is installed on your system, just like most every exploit out there.
New bug in Firefox, eh.
ReplyDelete[...] “Developers who intend to (or have already) registered URIs for their applications MUST UNDERSTAND that registering a URI handler exponentially increases the attack surface for that application,” Billy (BK) Rios and Nate McFeters said on their blog. [...]
ReplyDelete[...] second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign and Ernst & Young [...]
ReplyDelete[...] network streams using an application layer firewall or IPS may mitigate this vulnerability. See the xs-sniper blog for more information about known vulnerable URIs. Note that an attacker may obsfucate URIs in a way [...]
ReplyDelete[...] Protocol Handler Saga is rapidly becoming a religious war. The latest entry is related to a very cool exploit that Billy Rios published on Tuesday. Unfortunately, he failed to give Mozilla a chance to fix the problem before [...]
ReplyDelete[...] registering a URI handler exponentially increases the attack surface for that application,” said Rios in his blog. “Please review your registered URI-handling mechanisms and audit the functionality called by [...]
ReplyDelete[...] Firefox no filtra bien algunos URIs lo que puede ser una oportunidad para los hackers para hacerse con el control del [...]
ReplyDelete[...] il bug di IE7 come «altamente critico» ed accredita la scoperta ed il dibattito sul problema a Billy Rios e Jesper Johansson. Secunia, inoltre, spiega che il browser è vulnerabile su Windows Server 2003 e [...]
ReplyDelete[...] Remote Command Execution in FireFox et al http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/ [...]
ReplyDelete[...] http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/ http://xs-sniper.com/blog/remote-command-exec-firefox-2005/ [...]
ReplyDelete°O_o!
ReplyDelete******...................OMG............*****
Bueno la verdad es que siempre ha existido este bug pero no se habia usado como lo expones,........... realmente es preocupante pues esto podria ser la bulneravilidad mas importante en el firefox a la fecha.
Esperemos y este resuelto en la proxima vercion del Firefox.
I have destory all reg key HKEY_CLASSES_ROOT\ telnet , news , nntp , snews, mailto. And i have wite URLMON.DLL delete key _blank and URL.dll delete telnet write UltraEditor. I don´t used CMD.exe i hav it delete, don´t uses IE browser. But how destory i my IE borser i can not delete browseui.dll . I browseui.dll disable my IE5 browser!
ReplyDelete[...] Después de días de idas y venidas, que es culpa de Windows (según Secunia), que es culpa de Firefox (según FrSIRT entre otros) queda claro que el bug definitivamente era de Windows. Todo empezo con estos dos advisory: Mozilla Billy (BK) Rios [...]
ReplyDelete[...] Remote Command Execution in FireFox et al, por Billy (BK) Rios, 24 julho 2007. [...]
ReplyDelete[...] Protocol Handler Saga is rapidly becoming a religious war. The latest entry is related to a very cool exploit that Billy Rios and Nate McFeters published on Tuesday. Unfortunately, he failed to give Mozilla a chance to fix the problem before [...]
ReplyDelete[...] using an application layer firewall or IPS may mitigate this vulnerability. See the xs-sniper blog for more information about known vulnerable URIs. Please note that these filters may only work for [...]
ReplyDelete[...] Firefox pwns… all the world and Mozilla recognizes the same bug that had been blamed on IE affects Firefox itself. [...]
ReplyDeletenice bug.
ReplyDeletehttp:../../../../windows/system32/calc.exe"cmd
Hi,
ReplyDeleteI was going through your blog regarding the vulnerability. It would be a great help if u could tell me what registry settings need to be done for the exploit running.
[...] second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign and Ernst & Young [...]
ReplyDelete[...] which was the source of another bug, disclosed Tuesday by Mozilla. This second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign Inc. and Ernst & [...]
ReplyDelete[...] site. Rios and my blogging collegue Nate McFeters have spent the better part of the last year warning about serious URI-handler security [...]
ReplyDeletexs-sniper.com - now in my rss reader)))
ReplyDelete딜러가 직접 실재 카드를 딜링하고, 그 카드는 그래픽으로 보여줍니다.
ReplyDelete한게임처럼 골프 vs 세컨으로 엮어 주는 프로그램이 아닙니다.
게임을 진행하다 보면 직접 원탁에서 실재게임을 하는 착각을 불러 일으킵니다.
게임룰은 일 삼 만 게임과 유사하게 만들어서 중간삥이 난무 하지 않아
머리가 아프지 않고, 3초룰을 적용하여 더이상의 샤킹이 통하지 않습니다.
시드머니 1만원 => 300방
시드머니 5만원 => 500방
시드머니20만원 => 1000방
시드머니50만원 => 2000방
보통 저녁7시 이후면 300~1000방 까지는 풀로 돌아가며,
당신이 여지껏 상상했던 실전과같은 게임이 드디어 출시 되었습니다.
24시간 입금, 출금 5분처리, 환전수수료없음, 개인정보 완벽보장
다운로드는 다소 느릴수 있으나, 다운후에는 빠른 진행 보장합니다.
http://www.doh.lu.to
http://www.doh.lu.to
등록거부 해드립니다
아래양식 복사하신후 메일 첨부해 주십시오
도메인:
게시판이름:
게시된날짜:
정확한 등록거부를 위한일이니 협조해 주시면 감사하겠습니다
암호123456 등록거부gogo736@gmail.com
이메일 열람후 등록거부 이루어 지므로 한차례 더 등록될수 있습니다