This is really just a short note to detail what others have surely discovered as well.

The Mozilla Corporation released Firefox 2.0.0.5 on July 17, followed by the release of Thunderbird 2.0.0.5 on July 19. Both of these releases tightened up the input validation performed on command line arguments, specifically to disallow other browsers from abusing them as attack vectors through inbound arguments.

This was achieved by specifying an additional command line argument called -osint, for “operating system internal”, which was appended to any of their registered URL protocol handlers. Previously, the FirefoxURL protocol handler looked similar to the following

C:\PROGRA~1\MOZILL~3\FIREFOX.EXE -requestPending -url “%1″

Whereas after Firefox 2.0.0.5 the same protocol handler was changed to

C:\PROGRA~1\MOZILL~3\FIREFOX.EXE -requestPending -osint -url “%1″

Whenever the application sees that an -osint flag has been specified it will first determine the argument name and then use the remainder of the command line as the argument value, disrupting the potential for external applications such as Internet Explorer to abuse them as attack vectors.

SeaMonkey 1.1.3 was released on July 16 but does not include this modification. As such it is still possible to perform cross application scripting on SeaMonkey from other browsers, such as Internet Explorer, who still do not escape command line arguments to URL protocol handler applications.

Firefox could be used as an attack vector through its FirefoxURL protocol handler, but SeaMonkey has not yet included the required SeaMonkeyURL protocol which would give it Vista compatibility. It does, however, register itself as the handler for protocols such as gopher: and mailto:, the latter of which we can then use as an attack vector with the following POC exploit.

<html><body>
<iframe src=’mailto:m -chrome “javascript:alert(1)’>
</body></html>

You can also find the above demonstratory exploit at http://larholm.com/vuln/seamonkeymailto.html. All it does is to launch SeaMonkey with the following command line arguments.

SeaMonkey.exe -compose mailto:me@nowhere.com -chrome “javascript:alert(1)

And there you have it, Mozilla might have bailed out Microsoft once with their previous security update but they have yet to release an updated version of SeaMonkey which removes this attack vector. You can still exploit Internet Explorer simply by substituting “FirefoxURL” with “mailto” in your exploit :)