URI Use and Abuse: An Unpatched Vulnerability in Web Browsers and Applications

Secunia released an advisory last July 10, 2007 regarding a URI handler in Firefox (including the latest version, 2.0.0.4) that allows it to execute arbitrary commands in a user’s operating system (remote command execution). Secunia has labeled the said vulnerability as highly critical. No patch has been released yet.

This time, a follow-up article by Nitesh Dhanjani enumerated a few possible attack vectors. You can read his article entitled, Not for the Faint of Heart: Multiple Exploits Affecting Firefox, IE, Netscape, and Trillian and follow the links from there to test the methods in which the exploit could have been done. A downloadable article entitled, URI Use and Abuse is also available from his blog. From the paper’s description:

This paper will provide information on the discovery of, access of, and exploitation of various URI’s supported by various browsers.

The 28-page paper includes proof of concepts (with screen shots like the one above) as well as codes to perform the exploit. It is assumed that the document was provided for educational purposes only.

What Does This Imply

As Nitesh Dhanjani mentioned:

These findings are extremely high impact, and therefore of Critical risk to any individual or organization.

Nitesh gave examples of the dangers of this vulnerability. For example, a command prompt is opened when a user clicks on a link using Internet Explorer (remote execution). Another one involves having Trillian installed. When a link is clicked using a Web browser such as IE7, Firefox or Netscape, an attacker can then invoke a set of commands with the use of a batch file to install malicious programs and then run them automatically on startup. The screen shot above also helps an attacker identify what programs are installed in the target system and then find exploits based on those programs to infiltrate the target system. This will be very dangerous, especially in a corporate environment where confidential data is usually being circulated.

Since this is an 0day (pronounced oh-day) exploit, meaning it’s unpatched, users are advised to be careful with the Web sites they visit. Don’t visit untrusted sites and update the affected applications as soon a patch is released.

Secunia Updates - July 16, 2007

• Internet Explorer “document.open()” Method Spoofing Vulnerability
• Konqueror “data:” URI Scheme Address Bar Spoofing
• Opera “data:” URI Scheme Address Bar Spoofing Vulnerability

This entry was posted on Monday, July 16th, 2007 at 5:46 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.