Slashdot Mirror

← Back to Stories (view on slashdot.org)

New URI Browser Flaws Worse Than First Thought

Posted by samzenpus on from the bad-to-worse dept.

narramissic writes "URI (Uniform Resource Identifier) bugs have become a hot topic over the past month, since researcher Thor Larholm showed how a browser could be tricked into sending malformed data to Firefox. Now, security researchers Billy Rios and Nathan McFeters say they've discovered a number of ways attackers could misuse the URI protocol handler technology to steal data from a victim's computer. 'It is possible through the URI to actually steal content form the user's machine and upload that content to a remote server of the attacker's choice,' said McFetters, a senior security advisor for Ernst & Young Global Ltd. 'This is all through functionality that the application provides.'"

3 of 149 comments (clear)

  1. Oh my by zmotula · · Score: 4, Informative
    There is not a SINGLE technical detail about the bug in the article. The first paragraph pretty much says it all:

    Security researchers Billy Rios and Nathan McFeters say they've discovered a new way that the URI (Uniform Resource Identifier) protocol handler technology, used by Windows to launch programs through the browser, can be misused to steal data from a victim's computer.

    It is impossible to say whether this bug is really exploitable, whether it matters at all. So far they ("security researchers") can be only getting a free publicity. Is this news for nerds?
    1. Re:Oh my by Intron · · Score: 5, Informative

      mozilla bug 389580

      "On Windows XP some urls for "web" protocols that contain %00 launch the wrong
      handler and appear to be able to launch local programs, with limited argument
      passing. It is not yet clear that this can be used to compromise a machine but
      we can always fear the worst.

      The same behavior is observed using "Run" from the Windows Start menu for the
      affected protocols (http, https, ftp, gopher, telnet, mailto, news, snews,
      nttp, possibly others?).

      The behavior seems to be that if there's a %00 in the URL for these schemes
      then the URL Protocol handler is not called, instead the FileType handler is
      called based on the extension of the full url. The url is then passed to that
      File handler. For "non-web" URL handlers the URL is passed to the expected
      handler.

      In Firefox browser protocols are handled internally so are not vulnerable, but
      the mailnews protocols are handed off to the OS and can be abused in this way."

      ====
      So you can construct a uri like: "mailto:/...%00...something.exe"
      Firefox sees mailto and hands it to Windows to give it to the mail program
      Windows sees %00 and mistakenly hands it to the FileType handler.
      The FileType handler sees ".exe" and runs the program.

      --
      Intron: the portion of DNA which expresses nothing useful.
  2. Want to disable it alltogether ? by Anonymous Coward · · Score: 4, Informative

    Goto about:config and

    set network.protocol-handler.expose-all to false,
    network.protocol-handler.expose.http to true,
    network.protocol-handler.expose.javascript to true,
    network.protocol-handler.expose.mailto to true and
    remove all other network.protocol-handler.expose.*entries (or set them to false).

    Set network.protocol-handler.external-default to false,
    network.protocol-handler.external.mailto to true and
    remove all other network.protocol-handler.external.* entries (of set them to false).

    To be sure set network.protocol-handler.warn-external.file to true and
    remove all network.protocol-handler.warn-external.* entries (or set them to true).

    For more info start at http://kb.mozillazine.org/Network.protocol-handler .expose-all
    Beware, on windows things are different. See http://kb.mozillazine.org/Register_protocol