Protocol handlers cause Mozilla Firefox 3 remote command execution vulnerabilities

Protocol handlers cause Mozilla Firefox 3 remote command execution vulnerabilities

Summary: Update 07/16/2008: Apparently I neglected to mention that this has been patched already.  Reading over it again and a heads up from a reader pointed out the error to me.

SHARE:
TOPICS: Browser, Security
7

Billy RiosUpdate 07/16/2008: Apparently I neglected to mention that this has been patched already.  Reading over it again and a heads up from a reader pointed out the error to me.  As always, great job by Window Snyder and the Mozilla Security Team for getting this patched quickly.

Billy Rios is at it again. Rios, Rob Carter, and I have made a year and more of our research into exploiting URI/protocol handler vulnerabilities on numerous operating systems and applications, and it appears Rios has ANOTHER one to go with all that previously reported, as well as his most recent vector, which was used against Opera.

From Mozilla:

Security researcher Billy Rios reported that if Firefox is not already running, passing it a command-line URI with pipe ("|") symbols will open multiple tabs. This URI splitting could be used to launch chrome: URIs from the command-line, a partial bypass of the fix for MFSA 2005-53 which was intended to block external applications from loading such URIs (that vulnerability remains fixed, however).

This vulnerability could also be used by an attacker to pass URIs to Firefox that would normally be handled by a vector application by appending it to a URI not handled by the vector application. For example, web browsers normally handle file: URIs themselves, or block them from web content altogether, but this flaw enabled attackers to pass them from another browser into Firefox. In Firefox 2 scripts running from file: URIs can read data from a user's entire disk, a risk if the attacker could first place a malicious file in a guessable location on the local disk. Rios demonstrated that the so-called "Safari Carpet-bombing vulnerability" could be used for this, as well as other techniques that do not rely on that now-fixed Safari vulnerability.

In Firefox 3 scripts running in local files have limited access to other files, almost entirely mitigating the file: attack. However, combined with a vulnerability which allows an attacker to inject script into a chrome document the above issue could be used to run arbitrary code on a victim's computer. Such a chrome injection vulnerability was discovered in Firefox 3 by Mozilla developers Ben Turner and Dan Veditz who showed that a XUL based error page was not properly sanitizing inputs and could be used in this attack. In the absence of the attack described by Billy Rios this injection attack would not run with any special privilege and would be at best a spoofing vulnerability.

It will be interesting to see if Rios provides proof of concept code, but if you look at the protocol handler registered on the operating system, and how it interacts with Firefox, it may be straightforward. URI and protocol handler abuse continues to be an extremely viable option of attack.

-Nate

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • The point is moot...

    ...[b]if[/b] you put your FF session in an AppArmor 'sandbox'--the below comes FREE (as in beer) in openSUSE /etc/apparmor/profiles/extras. Just go into YaST control center->AppArmor->Manually Add Profile and select both usr.lib.firefox.firefox-bin and *.firefox.sh and you are golden--a five-minute security precaution that provides long-lasting 'peace of mind'.

    AppArmor is open sourced so free to use in other Linux Distros, present in Ubuntu Hardy Heron 8.04 but must be manually configured and added from the command line as root:

    [pre]
    YaST2 - SD_EditProfile @ linux-wlfm

    Edit Profile - Choose profile to edit


    ???Profile Name????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    ???/bin/ping ???
    ???/sbin/klogd ???
    ???/sbin/syslog-ng ???
    ???/sbin/syslogd ???
    ???/usr/lib/firefox/firefox-bin ???
    ???/usr/lib/firefox/firefox.sh ???
    ???/usr/lib/firefox/mozilla-xremote-client ???
    ???/usr/sbin/avahi-daemon ???
    ???/usr/sbin/identd ???
    ???/usr/sbin/mdnsd ???
    ???/usr/sbin/nscd ???
    ???/usr/sbin/ntpd ???
    ???/usr/sbin/traceroute ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ??? ???
    ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????



    [Help] [Back] [Abort] [Next]

    F1 Help F9 Abort F10 Next
    [/pre]

    Be Safe.

    Dietrich T. Schmitz
    [i]Linux IT Consultant[/i]
    D T Schmitz
    • Yeah, but

      How many people do you think are doing this? I'm all for AppArmor, but too many people require something out of the box secure. Plus, that does nothing for the Windows world.

      -Nate
      nmcfeters
      • What about ZoneAlarm ForceField?

        I use ZoneAlarm Security Suite, and am now trialling the version of ForceField for FireFox 3.
        Yes I know it is not a free application, but it appears to do the job in the Windows world.
        I am Gorby
        • No idea, but I doubt it. (NT)

          -Nate
          nmcfeters
  • This is fixed.

    Just because is not obvious in the post, wanted to make sure users know that this is fixed in Firefox 3.0.1 and 2.0.0.16.
    ws691
    • Thanks

      Yeah, just realized I left that out.

      -Nate
      nmcfeters
  • RE: Protocol handlers cause Mozilla Firefox 3 remote command execution vuln

    I got this blog on 7/19. FF was patched automagically on 7/18 while I was online. ?????????
    atari8bit@...