Safari 4 Automatic explorer.exe launch

Tuesday, May 12, 2009
###############################
Safari for windows automatic command line launch
advisory:http://lostmon.blogspot.com/
2009/05/safari-4-automatic-explorerexe-launch.html
vendor notify:yes
###############################

###########
Description
############

Safari 4 public beta (528.16) is prone vulnerable
to a local file comandline automatic launch.

I test it in windows vista & windows 7 rc

first take a look ..=>

http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx#app_reg
http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx#url_inv

In this documentation in "security alert" say :

"Applications handling URL protocols must be robust
in the face of malicious data.
Because handler applications receive data from untrusted
sources, the URL and other parameter values passed to
the application may contain malicious data attempting to
exploit the handling application. For this reason, handling
applications that could initiate unwanted actions based on
external data must first confirm those actions with the user"

Take a look, how to use search-ms protocol handler:

http://msdn.microsoft.com/en-us/library/bb266520.aspx

and

how to display windows objects in a command line :
http://www.codeproject.com/KB/system/ExplorerObjects.aspx


With all of this information a user can compose a html
document that call search-ms protocol handler , and use
some explorer objetcs.

########
testing
########

search-ms:query=microsoft&
search-ms:query=vacation&subquery=mydepartment.search-ms&
search-ms:query=seattle&crumb=kind:pics&
search-ms:query=seattle&crumb=folder:C:\MyFolder&

If you compose a html document with a iframe or a link that
contains any of those search-ms url firefox,google chrome,and
IE8 show a warning.( this is correct)but if you click in accept
it open explorer.exe and execute the search...

If you test the same with safari,this browser, opens
directly the iframe or the link without any prompt
or any warning.

If we look the implementation on this protocol handler,
and we look how to show explorer objects, we can compose
a "special" url that can contain explorer objects in
"location" parameter and we can launch explorer.exe that
can search in a determinate place of our machine.

for example :

search-ms:displayname=Search%20In%20Google.com&crumb=
location:%3A%3A{20D04FE0-3AEA-1069-A2D8-08002B30309D}
&stackedby=System.ItemTypeText&recurring:true

open explorer.exe , and close the tab where
explorer was called and close explorer.exe too

search-ms:displayname=Search%20In%20Google.com
&crumb=location:D%3A%5C&stackedby=System.ItemTypeText
&recurring:true

open explorer and explode the search box:

search-ms:displayname=%3D[]%20OR%20%3D%20OR%20%3D%20OR%20%3D&location:

the displayname param we can use it for spoof location,and
show for example in this case google.com (the victims can
think that the browser is searching in google.com)

If we put directly this url in the address bar of safari
this browser say , that it can´t open this url because
it don´t know the associate program.

But if we pass this ur in a iframe , safari don´t show
any warning and it execute this url and search withing
the files of the victim.

If we pass this url to Firefox , it show a warning , and
if we click in allow , this search is executed,if we pass
the url in a link or in a iframe the result is the same.

With Google Chrome if we pass the url to address bar,
Chrome search this url in google ( not affected directly)
but if we pass the url in a iframe or in a link , it show
a warning , click in allow and the search is executed.

with IE8 show a warning , but the search isn´t executed,
because it is incorrect to explorer, we can compose others
one. (it works too)

Wen explorer.exe is launching , the process is called with
this params:

this "injection" executes at commandline level =>
c:\windows\explorer.exe /separate,/idlist,%1,%L

I'm doing several test and try to obtain this other command line =>

c:\windows\explorer.exe /N,%windir%\system32,
/select,%windir%\system32\calc.exe

but at this moment i can't pass this command line in a
iframe with search-ms protocol.


¿ a remote user can collect the result of this local search ??
i don,t know any way to do it; but for example we can cause a
DoS to explorer if compose a HTML document with tree or four
iframes that call search-ms and it can use tu turn slow the
PC or for abuse of te search indexer or explorer.exe

A link with only put the protocol search-ms: with tree
or four explorer windows , it can be abuse of memory ,
and in some cases eplorer.exe crashes.

I exchange some mails whith MSRC (microsoft) and
the and i in the final conclusion , we think that at
this moment this not supose a security vulnerability
in IE8 , because it show the warnig , and we don´t have
found a vector to attack or to bypass the restrintions on
the search-ms implementation to turn it in a Remote command
execution or remote code execution.

This is the final response from Microsoft:
#######################################

We have completed our investigation into this issue
and believe there is not a security issue here for
Microsoft to address. Our investigation has not shown
any method whereby a search-ms URL could either execute
arbitrary code or return search results to a third party.
Although additional search windows can be generated from
multiple iframe on a web page, this is a temporary DoS
condition. We can find no security issue with the search-ms
protocol itself. As such, this is not something MSRC would track.

Please let me know if you feel we have missed something
in our analysis. Otherwise, I will be closing the MSRC
case down. I do appreciate you taking the time to report
this to us and working with us throughout the investigation.
########################################

but if we remember wen we call search-ms protocol
in a web page it executes this:
c:\windows\explorer.exe /separate,/idlist,%1,%L

them .. at this moment it isn´t a vulnerability in IE
but i think that this issue need to be track ...

###############€nd#####################

Thnx to estrella to be my ligth
Thnx to all Lostmon Team !!
Thnx The Microsoft Research Security Center
for their support. http://blogs.technet.com/msrc/
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...