I’ve seen two interesting polls in the past week about the URI/Protocol Handler issues that Rios and I have been talking about. They’re interesting polls on their own, but when you look at the results, I think they point out some concerning misconceptions and show a lack of understanding of the dangers of the URI/Protocol Handler issues. The first poll is over at Jeromiah Grossman’s blog and discusses the Top 10 Web Hacks of 2007, the second poll is hosted by Secunia here and discusses our Windows URI issue and asks companies if they’ve taken any steps, and if not, if they are affected by the vulnerability.
Interesting thing with Grossman’s poll is the order in which certain vulnerabilities panned out in the listing, and more importantly, what vulnerabilities were missing altogether. Here’s the list:
- XSS Vulnerabilities in Common Shockwave Flash Files
- Universal XSS in Adobe’s Acrobat Reader Plugin
- Firefox’s JAR: Protocol issues
- Cross-Site Printing (Printer Spamming)
- Hiding JS in Valid Images
- Firefoxurl URI Handler Flaw
- Anti-DNS Pinning ( DNS Rebinding )
- Google GMail E-mail Hijack Technique
- PDF XSS Can Compromise Your Machine
- Port Scan without JavaScript
First off, let me thank the voters for voting Billy and I in at number six with our Firefoxurl Protocol Handler issue, but I have to say, the impact of this particular finding seems to be more significant then all of those listed in the top 5 (with no disrespect to the authors of these flaws). All of the top 5 findings are legit, so not to take anything away there, but command injection through Cross-Site Scripting is beyond a serious issue.
Second, I’m completely surprised that PDP’s “PDF XSS Can Compromise Your Machine” post made it in over our exploit, which it is based off of (see “Firefox File Handling Woes”)! While PDP’s issue is quite serious, and actually was turned into a trojan horse attack, it is a subset of (and not nearly as serious as) the issue we describe, which can be exploited through simple XSS or CSRF, and does not require that a user receive and open a PDF file. This issue is a URI Handler attack against the Microsoft operating system (XP with IE7) and affects numerous programs including but not limited to Mozilla/Firefox/Netscape browsers, Thunderbird/Outlook and other e-mail clients, skype, Adobe Acrobat Reader, etc. Not to take anything away from PDP’s find, but the issue we reported is the first among a class of these types of vulnerabilities.
To qualify all of this, I understand that Grossman’s poll had more subjective rankings then impact alone, but I stand by my guns on this one. To be perfectly honest, if this was based off of cool-factor, then Dino Dai Zovi’s Secondlife exploit should’ve been number one. Some of this confusion is easy to attribute to the black box nature in which these issues were originally found and lack of information at the time of reporting. There are really two current types of these flaws:
- Protocol Handling Issues - Imply a flaw in the application designated to handle a certain protocol (these are application specific)
- AIM Buffer Overflow and Command Injection Issues
- FirefoxUrl and NavigatorUrl Command Injection Issues
- Google’s Picasa Image Theft Issue
- etc.
- URI Handling Issues - Imply a issue with handling a specific URI by the Operating System (have a more global impact, as they are a vulnerability in the underlying operating system and can affect multiple applications)
- Flaw in Windows Shell32.dll ShellExecute that lead to command injections like those in Acrobat Reader, Firefox, Netscape Navigator, Outlook, etc.
As you can see, the URI handling issues are a much greater risk as they imply an issue with the operating system and how it is being used by an application… basically, if you uncover one flaw (like our mailto: URI issue within Firefox/Netscape/etc.) it applies to all applications that work in that same way. So effectively, PDP’s Adobe Acrobat issue is a subset of the greater URI handling issue, which has subsequently been fixed by Microsoft.
Moving onto the secunia poll… go take a look if you haven’t already. At the time of writing, there was only 29% of organizations that had done something to address the issue… 29%!!! Worst of all, 34% of respondents claimed that they were not at risk! So, 71% of companies out there are doing nothing about what very may well be one of the biggest issues of the year. By the way, for the 34% of respondents who claimed their organizations were not at risk, you are oh so wrong. Unless you are a company that does not allow ANY of your employees to view the Internet, you ARE at risk. This type of exploit may also be able to exploit web applications that make their own requests (think a translation service that allows you to specify a URI to go translate).
The lack of understanding is concerning, so I suppose it is a good thing that I will be continuing to discuss these issue and new examples of them at Black Hat Federal and Black Hat Europe. Hope to see you there!
Nate McFeters