Cross Application Scripting Demo / URI Vulnerabilities Demo (Trillian 0-day)

by: Nate Mcfeters - nate dot mcfeters AT gmail

Billy (BK) Rios - billy dot rios AT gmail

Raghav "the Pope" Dube



We've posted a snippet of some of the research we've done on Cross Application Scripting and URI exploitation..
It's time we showed another example of how dangerous these URI handler vulnerabilities can be...

The first example will write a batch file (pwnd.bat) with attacker controlled contents to the Windows startup folder (C:\Documents and Settings\All Users\Start Menu\Programs\Startup).
The bat file simply opens up calc.exe the next time Windows is restarted

The second example takes advantage of a BOF in aim.dll... we overwrite SEH...

A demonstration of each vulnerability is given below. The user must have Trillian or an AIM client installed (aim.dll).
Although there are several ways to initiate this vulnerability, this particular example can be launched by doing the following:

1 - Browse to this page with Internet Explorer and click one of the demonstration links
2 - Enjoy

====================================================================

AIM: URI Handler 0-day here
(a file named "pwnd.bat" is written to the Windows startup folder, which executes calc.exe when the system is restarted)


AIM: URI Handler BOF 0-day here (AIM.DLL Buffer Overflow)

====================================================================

Unregister ALL Unnecessary URIs NOW!!

The first example shows the dangers of passing unfiltered arguments to programs that have registered URIs...(much like the firefoxurl: vulnerability).
The second example shows that EVEN IF ARGUMENTS ARE SANITIZED by the browser, many programs can be remotely pwnd via registered URIs and poor development practices.

Registered URIs are a remote gateway to applications on YOUR system....
This is just the tip of the iceberg, other (MANY OTHER) URIs are vulnerable.....
You don't want us to POST them all...Unregister ALL Unnecessary URIs
(This specific example uses IE, but this is NOT just an IE issue)

Erik Cabetas was nice enough to create this VBS program to help you enumerate all the registered URIs on your machine.... here
Look for the "Dump URL Handlers" (DUH.vbs) program. You can run the program with the following command: cscript.exe //Nologo DUH.vbs.
You'll be suprised at the number of registered URI Handlers on you system...