URI Use and Abuse written by my good friends Billy Rios, Nathan McFeters, and Raghav Dube (affectionately known as “baby Dube”) exposes how web browsers and applications fail to sanitize URIs leading to remotely exploitable conditions.
Billy started the ball rolling (after deriving inspiration from Thor’s Safari URI handling disclosure) when he discovered a remotely exploitable vulnerability in the
firefoxurl handler. An example of his this can be exploited in IE is available from Billy’s disclosure:
cmd.exe (remote execution)
cmd.exe will spawn regardless of any IE or Firefox dialogs.
Next up, Trillian:
pwnd.bat will be written to your Windows startup folder to spawn
calc.exe when the system is restarted).
These are just two examples of the kinds of security vulnerabilities caused due to lack of sanitization performed by URI handlers. See the references below for more details:
- Thor’s post on Safari (windows) 0-day caused by improper URI handling
- Billy Rios’
firefoxurlURI handling disclosure
- Billy, Nate, and Raghav’s Trillian disclosure
- Paper by Billy, Nate, and Raghav explaining URI handling vulnerabilities
These findings are extremely high impact, and therefore of Critical risk to any individual or organization. In order to fix these issues, all browsers and applications that expose and handle URIs must be audited and patched. Furthermore, millions of users who have these applications installed must upgrade to the patched versions so they are no longer vulnerable. This is going to take a while to happen, and I therefore suspect that people are going to be vulnerable to these high impact findings for the next few months, if not years.