July 14, 2007
Firefox URLHANDLERS
cross-browser attack
A CROSS BROWSER attack was found that would allow an attacker to take control of a computer surfing the Internet. It will allow sites to force a download onto your machine or to execute a program. It involves both Internet Explorer (IE) and Firefox (Ffx)
the requirements for this exploit to work
- IE version 7 must be installed
- Ffx version 2 must be installed
- Ffx's URLHANDLER registry entries must be installed
- the NOSCRIPT extension must not be installed
- the secutiry settings in IE must be medium or less
- a mal-formed URL must be called in IE
- no Ffx window can be open
what you can do to protect yourself
- Keep to IE version 6
- Keep to Ffx version 1.5 (see MISC NOTE #4)
- Install NOSCRIPT (see MISC NOTE #1)
- Remove the URLHANDLERS from the Registry (see below)
- Raise the security level for the Internet Zone to high
the questionable registry entries
HKCR\FIREFOXHTML
HKCR\FIREFOXURL
HKCR\FIREFOX.URL
how to remove urlhandlers
Enter the following commands at the command prompt:
REG DELETE HKCR\FIREFOXHTML /F
REG DELETE HKCR\FIREFOXURL /F
REG DELETE HKCR\FIREFOX.URL /F
IE details
IE7 allows something besides IE to be setup to handle all standard Internet calls. Before, IE was always used. Some registry entries need to be set.
Ffx details
For Vista compatibility, Ffx 2.0.0.2 sets those Registry entries mentioned above but does so in a way that makes it vulnerable to a mal-formed URL that includes a double quote (").
Ffx itself checks to make sure a DOS command is not sent to it. But that check is bypassed if the command is sent by another browser that doesn't escape (or remove) the double quotes.
When an Internet-aware program calls a URL, Ffx is instanciated through the command line. If an instance of Ffx is already instanciated then DDE is used and the exploit doesn't work.
For illustration purposes I'll use a simplified version of the code that is called when a by the URLHANDLERS:
FIREFOX.EXE -option "%1" -option
If the URL (%1) has a double quote in it, Ffx would treat the rest of the URL was was an option (-option). Javascript could then be run with trusted priveleges. More details can be found on Thor Larholm's site. (see below)
miscellaneous notes
- NoScript has been immune to this for some time.
- Removing quotes is a security standard in web development.
- Checking the validity of data is a security standard.
- Ffx2 also has a weaker cookie control than previous versions.
- Any Inet-aware application could be at risk, not just IE.
- Any browser with URLHANDLERS could be at risk, not just Ffx.
- This attack does not exist in the wild yet.
- It does not work on the Portable App version of Ffx2
- A identical attack on "Safari for Windows" recently occured which Apple patched immediately
- Enough is Enough by Eric Howe raises the security level in IE
who is at fault?
Since Microsoft and Mozilla made mistakes here then they both share the blame. However, the attack author Thor Larholm and security researcher Bruce Schneider puts the blame squarely on Microsoft's shoulders. But security site Secunia puts the blame on Mozilla.
how the situation could have been avoided
IE should escape any double quotes.
Ffx should checked any incoming data and only allow valid data to come through.
responces
From Microsoft
"Microsoft has thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product."
From Mozilla
"Mozilla believes in defense in depth and will be patching Firefox in the upcoming 2.0.0.5 release to mitigate the problem. This will prevent IE from sending Firefox malicious data."
websites to read
note: if the address wraps around the line, enter the whole URL as one word.
- Mozillas responce
http://blog.mozilla.com/security/2007/07/10/security-issue-in-url-protocol-handling-on-windows/orhttp://preview.tinyurl.com/3ydesv - Active network
http://www.activewin.com/awin/comments.asp?HeadlineIndex=40117 - Thor Larholm's theory
http://larholm.com/2007/07/10/internet-explorer-0day-exploit/ - Thor Larholm's proof of concept
http://larholm.com/vuln/firefoxurl.html
main researchers
- Thor Larholm
A hacker and web developer from Denmark who recently discovered a vulnerability with Safari on Windows (CVE-2007-3186) and in the extension FireBug (CVE-2007-1947) - Billy Rios (aka BK)
- Nate Mcfeters
- Raghav Dube (aka "the pope")
Experience the computer club and all it's SIG group that meet at Chapman university, California on the 1st Sunday of every month.
SECSIG meets in the Science building 203 at 11:15 am.
By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.
The RSS feed address is http://ocsecsig.blogspot.com/atom.xml
Dave Keays, SIG leader
