The Mozilla Foundation is dealing with yet another URL-handling issue—and this time, researchers have posted a non-malicious proof of concept that shows how the flaw can be used for remote command execution on machines running Mozillas Firefox browser.
Mozillas URL-handling hassles began earlier in July, when security researcher Thor Larholm found a zero-day vulnerability that can lead to systems getting hijacked. Larholm called it an IE zero-day at the time, blaming the vulnerability on an input validation flaw in Internet Explorer that allows users to specify arbitrary arguments to the process responsible for handling URL protocols. Its the same type of input validation vulnerability that Larholm discovered in the Safari 3 beta, he said at the time.
The vulnerability involved IE as an entry point and Firefox as the application receiving bad data. There ensued much passing of the buck following this earlier URL-handling flaw, with Microsoft blaming Firefox and Mozilla blaming IE and much the blogosphere doing its part in the blame game.
Mozilla Security Chief Window Snyder owned up to the issue on July 23, though, saying that Mozilla had found a new scenario over the weekend in which Firefox could be used as an attack entry point in various ways. Specifically, while browsing with Firefox, Snyder said, a malicious URL could be used to pass along bad data to another application.
“We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well,” she said in Mozillas security blog. “We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so were investigating it now.”
The current URL handling flaw, which Mozilla, based in Mountain View, Calif., is now working to patch, was discovered by Bill Rios—a senior security consultant for VeriSign—and Nate McFeters—a senior security advisor for Ernst & Youngs Advanced Security Center.
This URL-handling issue is on Windows XP running Firefox and also infects Netscape and Mozilla browsers. It involves URLs for Web protocols that contain the characters “%00” and that manage to launch the wrong handler. Such URLs appear to be able to launch local programs, with limited argument passing, according to Snyder.
Rios and McFetters posted a simple proof of concept showing how the flaw could be abused by a remote attacker. The PoC simply opens up the Windows calculator (Calc.exe); “Of course, if someone wanted to, they could execute other more malicious programs / applications,” Rios told eWEEK in an e-mail exchange.
The researchers listed a number of exploits that can be launched with no user interaction required. “Our example is very innocuous, but it does clearly show that remote command execution on a Firefox users machine is possible,” Rios said.
The security researchers have used the flaw to successfully test exploits for Firefox, Netscape and Mozilla browsers and said that other browsers are affected by related vulnerabilities. “Once again, a flaw in the URI handling behavior allows for remote command execution. UNREGISTER ALL UNNECESSARY URIs NOW!” they wrote on their blog posting.
The researchers explained the dangers of registering URIs for applications, saying that many applications arent designed to handle remote accessibility.
“Some developers dont understand that registering a URI increases the attack surface for an application because it now makes functionality for that application remotely accessible,” Rios told eWEEK. “Many applications that install URI handlers are not designed to handle remote access to various pieces of functionality … Throw in a lack of sanitization on the browsers part and we have a Perfect Storm.”
The researchers advise developers to review registered URI-handling mechanisms and audit the functionality called by those URIs to lessen the risk of making applications vulnerable to these types of URL handling problems.
Theres a lot for developers to look out for. The list of URL handling flaws the two researchers have discovered only in the last month is long. They have discovered a host of command-injection flaws due to browsers not properly sanitizing data: mailto, news, snews, nntp, telnet, aim, firefoxurl, navigatorurl.
The two have also found buffer overflow vulnerabilities due to applications not properly sanitizing data: in AIM and in res. Also, theyve found multiple Local Program Enumeration issues in IE7 as well as functionality abuse on Firefox.
Mozilla said the impact to users of the most recently discovered URL-handling vulnerability is unknown at this time. “We are working to verify this and in the meantime, advise users to be cautious when browsing unknown sites,” the foundation said on its security blog.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
