The Protocol Handler Saga Continues: Say What Secunia?

re: The Protocol Handler Saga Continues: Say What Secunia?

mrMOO — Wed, 01 Aug 2007 02:50:42 GMT

Jesper, your an arrogant douche. Get off your high horse; your opinions are meaningless; do something useful. And btw, that "file photo" is completely gay.

Have fun dissecting this post in your deluded mind.

re: The Protocol Handler Saga Continues: Say What Secunia?

Michael Winters — Tue, 31 Jul 2007 02:00:04 GMT

It appears that the browser that is immune from this exploit which only occurs on XP is also the browser that once installed creates this exploit is several other applications including XP's Start -> Run due to the fact that when you install it the behavior of shellexecute is changed.

re: The Protocol Handler Saga Continues: Say What Secunia?

Dan Veditz — Fri, 27 Jul 2007 18:58:40 GMT

No, Firefox don't expect ShellExecute() to do any input validation, it expects it to hand the URL off to the registered protocol the way it was passed. On WinXP with IE7 installed this is no longer the case for a handful of web-related protocols. Please feel free to verify this with your own test program on a machine without Firefox -- the URLs from Billy Rios will have exactly the same effect.

re: The Protocol Handler Saga Continues: Say What Secunia?

Harry Johnston — Fri, 27 Jul 2007 18:29:58 GMT

According to this:

bugzilla.mozilla.org/show_bug.cgi

the same behavior can be observed using "Run" from the Start Menu, which suggests that the fault is indeed in Windows/IE. It also seems that the underlying issue doesn't depend on using illegal URIs, though it may be difficult or impossible to exploit without them. (Note that the embedded nulls in the original exploit were properly percent quoted.)

However the exact situation still seems unclear to me, in particular I'm not sure why IE doesn't seem to be vulnerable. So I'll have to reserve judgement until further information comes to hand. The original exploits don't behave as expected on my computer and I haven't had time yet to explore variants.

re: The Protocol Handler Saga Continues: Say What Secunia?

Boris Zbarsky — Fri, 27 Jul 2007 17:59:56 GMT

In particular, try the following two URIs in "Start > Run ..." on an XP system with IE7 installed:

mailto:test%../../../../windows/system32/calc.exe".cmd

mailto:test../../../../windows/system32/calc.exe".cmd

The former launches calc.exe, while the latter launches the default mailto: handler.

re: The Protocol Handler Saga Continues: Say What Secunia?

Boris Zbarsky — Fri, 27 Jul 2007 17:55:22 GMT

Jesper, Firefox doesn't do any additional processing on the schemes in question. It just passes them to ShellExecute, like every other scheme. It's actually Windows that processes them differently, and in particular this processing changed with the IE7 upgrade.

re: The Protocol Handler Saga Continues: Say What Secunia?

Alun Jones — Fri, 27 Jul 2007 14:24:56 GMT

That's confusing - what I get for posting just before bedtime.

What I meant to say is that, in the first case, Firefox is registering as a URI protocol handler, and that means that it knows how to handle the protocol.

In the second case, it's clear from Jesper's later comments that it's far from clear that any component of Windows is causing these other executable elements to be called - in fact, the indications point to Firefox again (although it's distinctly possible that Firefox is passing something that it thinks is innocuous into a Windows DLL).

Jesper hasn't been one to pull his punches or stick to an opinion after he's been proven to be wrong - but I'll let him show that, if he needs to.

re: The Protocol Handler Saga Continues: Say What Secunia?

Paperino — Fri, 27 Jul 2007 05:29:42 GMT

Nice post and informative as usual.

It seems that the many eyeball theory behind open source code security is falling apart nowadays: if many eyeballs looking at the same exact piece of code couldn't get this, having the code is just not useful as having a protected mode browser.

re: The Protocol Handler Saga Continues: Say What Secunia?

Alun Jones — Fri, 27 Jul 2007 03:51:31 GMT

By Firefox registering the URI handler, it is staking a claim that it knows how to handle the protocol. If it's calling a piece of code in IE that is not behaving as documented, then I'm sure that Jesper will acknowledge that the flaw is there and needs to be fixed. If, on the other hand, Firefox is passing something to IE that IE is not documented to be able to take, will you be happy to admit that the problem is with Firefox?

re: The Protocol Handler Saga Continues: Say What Secunia?

Harry Johnston — Fri, 27 Jul 2007 02:48:07 GMT

In your post on the original IE->Firefox vulnerability you said it was Firefox's fault because it registered the URI handler, and it wasn't IE's responsibility to validate the URI before passing it to Firefox.

Now you're saying this vulnerability is Firefox's fault because it hasn't validated the URI it is passing to a URI handler registered by Windows?

You can't have it both ways!

re: The Protocol Handler Saga Continues: Say What Secunia?

Blackstorm — Fri, 27 Jul 2007 02:37:28 GMT

Thank you, Jesepr... I was drive crazy to understand what this exploit actually do. And thus who is flawed, too, FF or IE... :)