Security researchers have discovered a new set of protocol abuse problems with Mozilla Firefox, warning that the popular open-source browser is a sitting duck for code execution exploits.
Billy (BK) Rios and Nate McFeters, two hackers who have warned repeated about risky and unnecessary URIs registered on Windows, have released proof-of-concept exploits that shows how fully patched versions of Firefox (184.108.40.206) can be exploited when a user simply clicks on a booby-trapped link.
The vulnerability is caused due to an input validation error within the handling of system default URIs with registered URI handlers (e.g. "mailto", "news", "nntp", "snews", "telnet"). This can be exploited to execute arbitrary commands when a user e.g. using Firefox visits a malicious website with a specially crafted "mailto" URI containing a "%" character and ends in a certain extension (e.g. ".bat", ".cmd")
Successful exploitation requires that Internet Explorer 7 is installed on the system. Secunia has confirmed the vulnerability on a fully patched Windows XP SP2 and Windows Server 2003 SP2 system using Firefox version 220.127.116.11 and Netscape Navigator version 9.0b2. Other versions and browsers may also be affected.
Mozilla security chief Window Snyder has posted a confirmation of the latest issue:
We are currently investigating an issue on Windows XP, where some urls for “web” protocols that contain %00 launch the wrong handler and appear to be able to launch local programs, with limited argument passing. The impact to users is unknown at this point in time. We are working to verify this and in the meantime, advise users to be cautious when browsing unknown sites.
Mozilla has already created a fix that will be rolled out in the next version of Firefox.
A vulnerability note from US-CERT includes the following mitigation guidance:
- Using the about:config interface, setting the network.protocol-handler.warn-external-default, network.protocol-handler.warn-external.mailto, network.protocol-handler.warn-external.news, network.protocol-handler.warn-external.nntp, network.protocol-handler.warn-external.snews to true will make Firefox display a prompt before sending a URI to an external handler.
- Do not click on or follow untrusted links, or links that contain %00 immediately following the protocol name.
Blocking mailto: %00, nntp: %00, news: %00, snews: %00, telnet: %00 strings inside of HTML pages or other network streams using an application layer firewall or IPS may mitigate this vulnerability. See the xs-sniper blog for more information about known vulnerable URIs. Note that an attacker may obsfucate URIs in a way that blacklisting techniques may only stop a small percentage of attacks.
I pinged Billy (BK) Rios for some practical advice for non-technical end users. He is adamant that users should unregister all unnecessary URIs immediately. Unfortunately, it's a little difficult for mom and pop users to unregister URIs, so the standing recommendation is for Firefox users to install and use the free NoScript extension to get protection.
Rios also urges CSOs to be proactive against URI handling vulnerabilities by using the free Dump URL Handlers (DUH.vbs) tool distributed by Erik Cabetas at the bottom of this page.
Once all the registered URI handlers have been identifed, you can either remove them completely or audit them.
URI handlers can be removed by deleting the following registry keys: HKCR\<Name of URI HANDLER>
But, bear in mind that some URI handlers are tied to functionality provided by other programs which makes them more dangerous, but also, removing them may break the functionality of applications relying on the URI Handler.