The Protocol Handler Saga Continues: Say What Secunia?

Sometimes you just have to wonder how far people will go to lend undeserved credibility to opinions. The Protocol Handler Saga is rapidly becoming a religious war. The latest entry is related to a very cool exploit that Billy Rios and Nate McFeters published on Tuesday. Unfortunately, he failed to give Mozilla a chance to fix the problem before publishing it. Firefox users would have been far safer had he done that.

The exploit is quite simple: by embedding a null in a link to a protocol handler Firefox can be tricked into executing arbitrary commands on the users computer. Mozilla is working on a fix which will parse the URL looking for null characters and reject the request if it finds the. (This might be a good time to enter into a longer discussion on the ill advised strategy of looking for known bad stuff, but I have a different point to make).

My point however, is not in Billy's exploit, but rather related to Secunia's listing for this vulnerability. Secunia maintains a vulnerability database, which has not always been known to be entirely impartial. Nevertheless, Secunia's CTO, Thomas Kristensen, agreed with me last week that the responsibility for protection against malicious protocol handlers rests with the protocol handler.

That makes Secunia's advisory on the exploit that Billy Rios published even more astonishing. They claim it is an Internet Explorer 7 flaw and lists all versions of Windows Server 2003 and Windows XP as vulnerable! Let's see:

  1. If a user browses the web using IE is he subject to this flaw? Answer: No
  2. If a user browses the web using Firefox 2.0.0.5 and below, is he subject to this flaw? Answer: Yes
  3. When a user clicks the malicious link in Firefox is IE launched? Answer: No

How exactly then does Secunia figure this is an Internet Explorer flaw? It's hard to tell really. Apparently, it is because the flaw only affects users that have Internet Explorer 7 installed. It turns out that Mozilla loads several components that ship with Internet Explorer, including ieframe.dll and urlmon.dll. Apparently, there is some interaction with those that causes this exploit to fire through Firefox, but not through IE. Maybe Mozilla expected those DLLs to do their input validation for them? A bit of threat modeling seems like it may be in order. This expectation that others are do input validation for you, without actually validating that they do, is seriously harming Mozilla's users.

On a slightly related note, several years ago when I was researching protocol handlers I wrote a little program that enumerated both protocol handlers and asynchronous protocol handlers. I thought it might be of interest to people to see just how many they have, so I have made that program available for download: listProtocols.zip.

In the meantime, what do we do? Well, several years ago, when there were some vulnerabilities in Internet Explorer's handling of protocols, the US-CERT had this advice: "It is possible to reduce exposure to these vulnerabilities by using a different web browser." Mozilla even echoed that sentiment two weeks ago, when they were trying to pin their protocol handling problems on IE.

If only the same advice worked now. If only there were a browser that was not subject to all these Mozilla flaws! Wait! I know:
We recommend people use Internet Explorer in Protected Mode on Windows Vista and practice safe browsing habits to protect themselves against these vulnerabilities in Mozilla Firefox.

I wonder why the US-CERT did not include that little piece of advice in its advisory?

Update Later That Evening

I wanted to answer Harry Johnston's comment about my seeming inconsistency in blaming Firefox for this instance of a protocol handler problem where Firefox only passes on the command; while I also claimed Firefox was to blame for the previous issue where it was the actual protocol handler. It does seem inconsistent, but so is Firefox' protocol handling. The best way, therefore, to answer turns out to be by amending the post.

The problem here is quite convoluted, but from what I can tell, it lies squarely with Firefox. I say that because Firefox never actually invokes the protocol handler in certain cases. Those cases happen to include the ones that Billy mentioned. You can actually test this using the test protocol handler that I included in a prior post. If you simply register that and then modify Billy's exploit like this:

<a target="_blank" href='testURL:%00%00..\..\..\..\..\..\windows/system32/cmd".exe ..\..\..\..\..\..\..\..\windows/system32/calc.exe " - " blah.bat'>testURL 0-day</a>

You will get the expected dialog:

Firefox calls the handler and the handler gets the nulls as you would expect. If this now caused code to be executed, then it most certainly would be the handler's fault, not Firefox'. However, that is not actually what happens.

It is actually Firefox that executes the malicious code. To test that you need to intercept the calls the one of the handlers that Billy exploited: mailto, nntp, news, snews, or telnet. The easiest way is to simply change the executable they point to. For instance, I changed the mailto protocol to point to this:

"c:\test.exe" /mailurl:%1

Then I clicked Billy's exploit. Calc.exe and a command prompt showed up just like it did when msimn.exe (Outlook Express) was the handler. The test.exe application was never invoked. Had it been, we would have seen it. In fact, you can confirm that Firefox is what launces the exploit (cmd.exe and calc.exe in this case) by using Process Explorer:

Notice the executable tree there. It is Firefox that launched cmd.exe. It launches that instead of the actual executable for some reason.

I do not fully understand why only some protocols are affected by this. It seems that Firefox does some kind of additional parsing of those protocols but not others, but it is not clear from a cursory look at the sources why that is.

Update 28 July, 2007

There will likely be plenty of blame to apportion once the investigations for this issue are concluded. For the moment, to allow vendor investigations to continue without giving much more away to the bad guys than what is already out there, I am not going to comment any further on the scope and source of the problem. First and foremost, we need to stop the bleeding. Then we can discuss what happened.

Published 26 July 2007 04:19 PM by jesper
Filed under: ,

Comments

# Blackstorm said on 26 July, 2007 09:37 PM

Thank you, Jesepr... I was drive crazy to understand what this exploit actually do. And thus who is flawed, too, FF or IE... :)

# Harry Johnston said on 26 July, 2007 09:48 PM

In your post on the original IE->Firefox vulnerability you said it was Firefox's fault because it registered the URI handler, and it wasn't IE's responsibility to validate the URI before passing it to Firefox.

Now you're saying this vulnerability is Firefox's fault because it hasn't validated the URI it is passing to a URI handler registered by Windows?

You can't have it both ways!

# Alun Jones said on 26 July, 2007 10:51 PM

By Firefox registering the URI handler, it is staking a claim that it knows how to handle the protocol. If it's calling a piece of code in IE that is not behaving as documented, then I'm sure that Jesper will acknowledge that the flaw is there and needs to be fixed. If, on the other hand, Firefox is passing something to IE that IE is not documented to be able to take, will you be happy to admit that the problem is with Firefox?

# Paperino said on 27 July, 2007 12:29 AM

Nice post and informative as usual.

It seems that the many eyeball theory behind open source code security is falling apart nowadays: if many eyeballs looking at the same exact piece of code couldn't get this, having the code is just not useful as having a protected mode browser.

# Alun Jones said on 27 July, 2007 09:24 AM

That's confusing - what I get for posting just before bedtime.

What I meant to say is that, in the first case, Firefox is registering as a URI protocol handler, and that means that it knows how to handle the protocol.

In the second case, it's clear from Jesper's later comments that it's far from clear that any component of Windows is causing these other executable elements to be called - in fact, the indications point to Firefox again (although it's distinctly possible that Firefox is passing something that it thinks is innocuous into a Windows DLL).

Jesper hasn't been one to pull his punches or stick to an opinion after he's been proven to be wrong - but I'll let him show that, if he needs to.

# Boris Zbarsky said on 27 July, 2007 12:55 PM

Jesper, Firefox doesn't do any additional processing on the schemes in question.  It just passes them to ShellExecute, like every other scheme.  It's actually Windows that processes them differently, and in particular this processing changed with the IE7 upgrade.

# Boris Zbarsky said on 27 July, 2007 12:59 PM

In particular, try the following two URIs in "Start > Run ..." on an XP system with IE7 installed:

mailto:test%../../../../windows/system32/calc.exe".cmd

mailto:test../../../../windows/system32/calc.exe".cmd

The former launches calc.exe, while the latter launches the default mailto: handler.

# Harry Johnston said on 27 July, 2007 01:29 PM

According to this:

bugzilla.mozilla.org/show_bug.cgi

the same behavior can be observed using "Run" from the Start Menu, which suggests that the fault is indeed in Windows/IE.  It also seems that the underlying issue doesn't depend on using illegal URIs, though it may be difficult or impossible to exploit without them.  (Note that the embedded nulls in the original exploit were properly percent quoted.)

However the exact situation still seems unclear to me, in particular I'm not sure why IE doesn't seem to be vulnerable.  So I'll have to reserve judgement until further information comes to hand.  The original exploits don't behave as expected on my computer and I haven't had time yet to explore variants.

# Dan Veditz said on 27 July, 2007 01:58 PM

No, Firefox don't expect ShellExecute() to do any input validation, it expects it to hand the URL off to the registered protocol the way it was passed. On WinXP with IE7 installed this is no longer the case for a handful of web-related protocols. Please feel free to verify this with your own test program on a machine without Firefox -- the URLs from Billy Rios will have exactly the same effect.

# Michael Winters said on 30 July, 2007 09:00 PM

It appears that the browser that is immune from this exploit which only occurs on XP is also the browser that once installed creates this exploit is several other applications including XP's Start -> Run due to the fact that when you install it the behavior of shellexecute is changed.

# mrMOO said on 31 July, 2007 09:50 PM

Jesper, your an arrogant douche. Get off your high horse; your opinions are meaningless; do something useful. And btw, that "file photo" is completely gay.

Have fun dissecting this post in your deluded mind.

Leave a Comment

(required) 
(required) 
(optional)
(required)