Did some quick search on Bugzilla and came up with the following: Mozilla allows external protocols as discussed in: http://bugzilla.mozilla.org/show_bug.cgi?id=167475 They seem to blacklist the following external protocol handlers: (patch http://bugzilla.mozilla.org/attachment.cgi?id=102263&action=view) hcp, vbscript, javascript, ms-help, vnd.ms.radio
A simple solution would be to add the shell protocol to this list. Personally I think a secure blacklist is hard to maintain as new dangerous external protocols could be invented by third-parties leaving Mozilla vulnerable again. /Andreas Sandblad On Thu, 8 Jul 2004, Andreas Sandblad wrote: > It doesn't seem to affect Windows 2000, only Windows XP. > This is a fault in Mozilla. Why? Because it allows access to a dangerous > protocol from within a non local resource. The Mozilla project should fix > this before anyone creates an exploit to run arbitrary code. > > Personally I think the shell: issue should have been reported to the > Mozilla security team before publiced to the masses. > > /Andreas Sandblad > > On Wed, 7 Jul 2004, Barry Fitzgerald wrote: > > > I just verified this in Mozilla 1.7 on Windows XP pro. > > > > (I know -- no reason why it shouldn't work on 1.7 if it worked on firefox) > > > > In any case, it does appear to be an issue with MS Windows and not > > Mozilla, but the Mozilla project should still, IMO, filter out the > > shell: scheme type and other dangerous (but essentially useless on the > > web) scheme types identified in MS Windows. In fact, they should filter > > all out accept for accepted scheme types. Default-closed as opposed to > > default-open. > > > > -Barry > > > > > > Andreas Sandblad wrote: > > > > >This is dangerous. Based on the file extension of the shell protocol > > >different applications may be launched. For example: > > >shell:.its will launch Internet Explorer > > >and shell:.mp3 will launch Winamp. > > > > > >The trick is to find an application that will overflow when given a > > >very long parameter. A quick check showed that a buffer overflow occured > > >within MSProgramGroup (WINDOWS\System32\grpconv.exe) after around 230 > > >bytes with the following URL: > > >shell:[x*221].grp > > >EIP can be controled, but exploitation is a bit tricky since parameter is > > >stored as unicode. > > > > > >Also Winamp contains an BO (no unicode here). > > > > > >Tested environment: > > >Windows XP pro + FireFox 0.9.1 > > > > > >/Andreas Sandblad > > > > > >On Wed, 7 Jul 2004, Perrymon, Josh L. wrote: > > > > > > > > > > > >>-----snip------ > > >>center><br><br><img src="nocigar.gif"></center> > > >><center> > > >><a href="shell:windows\snakeoil.txt">who goes there</a></center> <iframe > > >>src="http://windowsupdate.microsoft.com%2F.http- > > >>equiv.dyndns.org/~http-equiv/b*llsh*t.html" style="display:none"> > > >>[customise as you see fit] > > >><http://www.malware.com/stockpump.html> > > >>------end---------- > > >>The code above has interest to me. > > >>Even in Mozilla the commands below will work. > > >><a href=shell:windows\\system32\\calc.exe>1</a> > > >><a href=shell:windows\system32\calc.exe>2</a> > > >><a href=shell:windows\system32\winver.exe>4</a> > > >>Just save them to an .html file and run it. > > >>The first one with the double quotes was from bugtraq: > > >>Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash > > >><http://seclists.org/lists/bugtraq/2004/Mar/0188.html> > > >>The links below that will run calc as well as winver. > > >>It seems it calls windows as a virtual dir because c:\winxp is what I have. > > >>I have been playing around to see if cmd.exe will work with it but without > > >>luck. > > >>This is what is in the registry. > > >>HKEY_CLASSES_ROOT\Shell > > >>Look in the registry key above. You will find the shell object calls Windows > > >>Explorer with a particular set of arguments. > > >>%SystemRoot%\Explorer.exe /e,/idlist,%I,%L > > >>So this is tied to explorer.exe. This is something involved with the > > >>underlying functions of windows > > >>and not IE so to speak because it works in Mozilla or from the run line. > > >>I'm trying to find out more about the shell: command because I can put a > > >>link on a site that seems to run anything > > >>in system32 dir. I'd like to see if you can pass parameters to it. > > >> > > >>Anyone give me more info on the shell:windows command? > > >>JP > > >> > > >> > > >>Joshua Perrymon > > >>Sr. Network Security Consultant > > >>PGP Fingerprint > > >>51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021 > > >> > > >>**********CONFIDENTIALITY NOTICE********** > > >>The information contained in this e-mail may be proprietary and/or > > >>privileged and is intended for the sole use of the individual or > > >>organization named above. If you are not the intended recipient or an > > >>authorized representative of the intended recipient, any review, copying > > >>or distribution of this e-mail and its attachments, if any, is prohibited. > > >>If you have received this e-mail in error, please notify the sender > > >>immediately by return e-mail and delete this message from your system. > > >> > > >> > > >> > > >>_______________________________________________ > > >>Full-Disclosure - We believe in it. > > >>Charter: http://lists.netsys.com/full-disclosure-charter.html > > >> > > >> > > >> > > > > > > > > > > > > > -- _ _ o' \,=./ `o (o o) ---ooO--(_)--Ooo--- Andreas Sandblad Ume�, Sweden _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
