URI Use and Abuse written by my good friends Billy Rios, Nathan McFeters, and Raghav Dube (affectionately known as “baby Dube”) exposes how web browsers and applications fail to sanitize URIs leading to remotely exploitable conditions.
Billy started the ball rolling (after deriving inspiration from Thor’s Safari URI handling disclosure) when he discovered a remotely exploitable vulnerability in the firefoxurl handler. An example of his this can be exploited in IE is available from Billy’s disclosure: cmd.exe (remote execution)cmd.exe will spawn regardless of any IE or Firefox dialogs.
Next up, Trillian: pwnd.bat will be written to your Windows startup folder to spawn calc.exe when the system is restarted).
These are just two examples of the kinds of security vulnerabilities caused due to lack of sanitization performed by URI handlers. See the references below for more details:
- Thor’s post on Safari (windows) 0-day caused by improper URI handling
- Billy Rios’
firefoxurlURI handling disclosure - Billy, Nate, and Raghav’s Trillian disclosure
- Paper by Billy, Nate, and Raghav explaining URI handling vulnerabilities
These findings are extremely high impact, and therefore of Critical risk to any individual or organization. In order to fix these issues, all browsers and applications that expose and handle URIs must be audited and patched. Furthermore, millions of users who have these applications installed must upgrade to the patched versions so they are no longer vulnerable. This is going to take a while to happen, and I therefore suspect that people are going to be vulnerable to these high impact findings for the next few months, if not years.
On which platforms is Firefox vulnerable to these attacks? IE and Trillian are clearly only for Windows, but what about the others? Is Safari vulnerable on OS X?
Windows only for now.
IF I'm reading the paper written by Billy, Nate and Raghav in the right manner, this looks like these are only Microsoft problems. I don't see the right coding for Linux.