July 26th, 2007

Protocol abuse adds to Firefox, Windows security woes

Posted by Ryan Naraine @ 9:29 am

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Firefox, Google, Hackers, Passwords, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Security, Mozilla Firefox, Windows Security, Vulnerability, Microsoft Windows, Ryan Naraine

Security researchers have discovered a new set of protocol abuse problems with Mozilla Firefox, warning that the popular open-source browser is a sitting duck for code execution exploits.

Billy (BK) Rios and Nate McFeters, two hackers who have warned repeated about risky and unnecessary URIs registered on Windows, have released proof-of-concept exploits that shows how fully patched versions of Firefox (2.0.0.5) can be exploited when a user simply clicks on a booby-trapped link.

Adding to the back-and-forth blame game, Secunia says this is a “highly critical” flaw that affects Microsoft Windows.

The vulnerability is caused due to an input validation error within the handling of system default URIs with registered URI handlers (e.g. “mailto”, “news”, “nntp”, “snews”, “telnet”). This can be exploited to execute arbitrary commands when a user e.g. using Firefox visits a malicious website with a specially crafted “mailto” URI containing a “%” character and ends in a certain extension (e.g. “.bat”, “.cmd”)

Successful exploitation requires that Internet Explorer 7 is installed on the system. Secunia has confirmed the vulnerability on a fully patched Windows XP SP2 and Windows Server 2003 SP2 system using Firefox version 2.0.0.5 and Netscape Navigator version 9.0b2. Other versions and browsers may also be affected.

[ SEE: Mozilla caught napping on URL protocol handling flaw ]

Mozilla security chief Window Snyder has posted a confirmation of the latest issue:

We are currently investigating an issue on Windows XP, where some urls for “web” protocols that contain %00 launch the wrong handler and appear to be able to launch local programs, with limited argument passing. The impact to users is unknown at this point in time. We are working to verify this and in the meantime, advise users to be cautious when browsing unknown sites.

Mozilla has already created a fix that will be rolled out in the next version of Firefox.

TEMPORARY WORKAROUNDS:

A vulnerability note from US-CERT includes the following mitigation guidance:

• Using the about:config interface, setting the network.protocol-handler.warn-external-default, network.protocol-handler.warn-external.mailto, network.protocol-handler.warn-external.news, network.protocol-handler.warn-external.nntp, network.protocol-handler.warn-external.snews to true will make Firefox display a prompt before sending a URI to an external handler.
• Do not click on or follow untrusted links, or links that contain %00 immediately following the protocol name.

For administrators:

Blocking mailto: %00, nntp: %00, news: %00, snews: %00, telnet: %00 strings inside of HTML pages or other network streams using an application layer firewall or IPS may mitigate this vulnerability. See the xs-sniper blog for more information about known vulnerable URIs. Note that an attacker may obsfucate URIs in a way that blacklisting techniques may only stop a small percentage of attacks.

I pinged Billy (BK) Rios for some practical advice for non-technical end users. He is adamant that users should unregister all unnecessary URIs immediately. Unfortunately, it’s a little difficult for mom and pop users to unregister URIs, so the standing recommendation is for Firefox users to install and use the free NoScript extension to get protection.

[ SEE: Ten free security tools you should already be using ]

Rios also urges CSOs to be proactive against URI handling vulnerabilities by using the free Dump URL Handlers (DUH.vbs) tool distributed by Erik Cabetas at the bottom of this page.

Once all the registered URI handlers have been identifed, you can either remove them completely or audit them.

URI handlers can be removed by deleting the following registry keys: HKCR\<Name of URI HANDLER>

But, bear in mind that some URI handlers are tied to functionality provided by other programs which makes them more dangerous, but also, removing them may break the functionality of applications relying on the URI Handler.