288 bytes, text/html
7.69 KB, text/html
345 bytes, text/html
2.88 KB, patch
Darin Fisher: superreview+
|Details | Diff | Splinter Review|
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020815 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020815 Mozilla 1.0.1rc1 (Build ID #20020815), Windows 2000 Server SP3 MSIE 5.01 SP2;Q321232 If I click on link with HREF beginning with "vbscript:", MSIE opens with VBscript operators in location bar. In my case, MSIE is reporting about errors, but, maybe, another MSIE or Windows versions will execute VB code. When I click to Reload button in MSIE, VB code runs. I think, this is critical security problem. See attachment as demo. Reproducible: Always Steps to Reproduce:
This is IMHO invalid. vbscript: is a registered Windows-Protocol (like hcp: with WinXP ;) and Mozilla is doing "the right thing" (TM). If you dont want this, alter you registry. BTW: Why should starting/running IE considered an exploid? Millions of lemmings are doing this every day...
If we'll going to support all protocols which Mozilla doesn't understand as "native" Windows protocols throw registry, we lose the main advantage of Mozilla - security. >Why should starting/running IE considered an exploid? >Millions of lemmings are doing this every day... Well-known fact is that MSIE is highly unsecure browser, see http://www.pivx.com/larholm/unpatched/ If anyone will can launch MSIE on my computer when I see pages with Mozilla (or, more, if anyone will can place <iframe src="vbscript:..."> in HTML e-mail message), I willn't see any reasons to use Mozilla as reliable and secure browser. I was extremely struck when I clicked a link on Web page and MSIE pops up. Previous versions (0.9.x, 1.0, 1.1b) didn't have this bug, and I categorically don't want see this in future versions.
if this is a "new" behavior you might be right.. bug 163308 is about something similar. Because of this, Mozilla will most likely suffer from this http://online.securityfocus.com/archive/1/287482/2002-08-10/2002-08-16/0 WindowsXP bug.
I don't know if this is designed behaviour or not, but just like we won't launch an .exe file outright, I think we shouldn't let this happen either. I for one definitely do not ever want IE to be launched on my computer.
I don't see this behaviour with Build 2002081204 on Windows NT. I have IE6 installed, but it is not invoked.
Build 2002081204, probably, has no problem. But I see this bug in build 2002081506, downladed from ftp://ftp.mozilla.org/pub/mozilla/releases/mozilla1.0.1rc1/ mozilla-win32-1.0.1rc1-installer-sea.exe
*** This bug has been marked as a duplicate of 163767 ***
This bug shouldn't be duped against a request for a pref. I think a blacklist, like the one we use for known dangerous file types, would be appropriate here if we can't get a "this protocol is dangerous" bit from the operating system.
Here's a quick & dirty attempt at using this feature to have Mozilla open IE and direct IE to open a particular URL. If this can be done, then many of the available IE exploits can also target some Mozilla users. <img src="vbscript:</script><body onload=document.location='http://mozilla.org'>"> However, unless I disable script debugging in IE, I have to dismiss a script error dialog box before IE opens the target URL. (And I realize that this won't work the same on all computers in all configurations. YMMV.) By the way, the "cdo:" and "vnd.ms.radio:" protocols also open IE (on my pc).
Jason, I confirm, this exploit runs on my system too. Changing severity to "blocker" because this is really big hole. See my comments: http://bugzilla.mozilla.org/show_bug.cgi?id=163767#c25
All exploits run also in 1.0.1rc2 (build ID: 2002082306)
Changing priority and target milestone - this bug must be resolved before 1.0.1 release.
manko, don't do that. see http://bugzilla.mozilla.org/queryhelp.cgi#severity is this a networking or security bug?
This is an extremely dangerous security bug. Roots of this bug are growing, certainly, from networking (see bug 163767), but this bug is critical for any stable release, because it can bring to mass and easy exploiting and cracking of numerous Moz+Win systems not only during Web-sufring, but even by sending e-mail. This bug is more danger that notorious bug 141061. Please, change severity to blocker or critical.
Created attachment 96821 [details] Exploit - opening IE with redirection to any URL. Idea by Jason Summers.
This bug persists also in 1.1 release. Changing severity (oh, excuse me, Daniel!). Adding an exploit - you can get this code by e-mail and your system will be cracked.
Adding mscott since he added this feature -- any objection to ripping it out? We can add a whitelist pref so sites using these features could add some back if they want to take their chances. End-users would generally make the wrong choices so shouldn't need UI for this.
I consider this bug critical from security point of view. Suggest mozilla does *NOT* open external applications in any way without asking the user. On windoze some applications register their protocol handlers (like mirc IIRC) and this type of exploits should not be exploitable from mozilla - the users may perceive it is mozilla's fault because they got exploited from mozilla.
Does latest Netscape 7 have this bug? If yes, it's very sadly...
Yeah, we should pop up a confirmation dialog for external protocol handlers just like we do with external helper applications.
@ email@example.com: I let a friend of me test exploit 1 and 3 on his Windows 98 machine using NS7 (I don't have any Windows-machine here), he said they are working! Not a good start fow a new Netscape release... :(
I greatly hope, this bug will be fixed soon, and patch for Mozilla 1.1 and Netscape 7 (or versions 1.1.1 and 7.0.1) will be released in in a few days. In Russian, "the awl cannot be hidden in a sack", in english, "murder will out". Time presses... :( For the moment, I higly recommend return to Mozilla 1.1b as the most safe and stable.
Adding Ben to demonstrate him dangerous effect of external protocols without opening a new bug.
Also persists in Mozilla 1.0.1
Most security dialogs annoy users more than they improve security. I don't think a warning dialog would be appropriate here. Either there's a huge hole in some external program that isn't a plug-in and having a warning dialog doesn't help, or there isn't a huge hole and the dialog is simply annoying. I would prefer to blacklist vbscript: but allow magnet:, irc:, aim:, etc. to continue working with one click.
Why don't we treat external protocol handlers exactly the same as external helper apps, which pop up a dialog by default?
Blacklist of danger protocols in not a bad idea, but we also must disable using external protocols in cases other that <a href> (see bug 163767), otherwise exploit #2 will work anyway with "trusted" external protocols. I think the best choice might be complete removing external protocols from Networking core and moving its support in <a href>/<area href> tags binding.
Commenting comments 27 and 29: Black list is a bad idea, though better than nothing. I suggest white list, empty by default. There are huge holes in mirc and IE and probably application foo. By opening the above automatically, the overall securty of mozilla is equal to the most insecure application which has protocol handler. And I strongly doubt the average Joe uses strange protocols. The user should be aware what mozilla starts - the same way with plugins and helper applications. And all external applications should be documented, so I can disable them :)
Georgy, do you agree to me about issue of bug 167475 (enabling external protocols only in links)? It's a main idea of comment #29, I consider that is even more important that black/white lists.
I think the important issue is not to start external applications which the user has not approved. Clicking on a link is considered a safe operation, so I don't think limiting to <a> is a solution at all.
I agree, but enabling (even with confirmation, even with maximal restrictions) external protocols in cases other that links is, imho, ideological mistake. That's my summary from 167475: Exploits for this bug are dangerous mainly if external protocol handler is being requested automatically from HTML code via <IMG SRC="externalprotocol:URL">, <IFRAME SRC="externalprotocol:URL"> and other similar cases. With relation to common sense, invoking an external protocol is nonsense in this case, because <ANYTAG SRC="..."> is request to return some data in browser, not for launch external application. Assuming that user has enabled some protocol, for example, irc: to start IRC chat by pressing a link. He has opened web page with HTML code: <iframe|img src="irc:some.url.there"> And he has seen IRC window to appear on screen suddenly (without his deliberate request) and empty iframe (or broken image icon in case <IMG SRC=>) in page. Absurd, isn't it?
I agree with George. A blacklist is too fragile. Better would be a whitelist which the user can configure like they do with helper apps, and which Mozilla distributors can add to --- although Mozilla.org should ship an empty whitelist.
Guninski, comment 30: > By opening the above automatically, the overall securty of mozilla is equal to > the most insecure application which has protocol handler. And you would rather have Mozilla be as secure as the most insecure application which has a protocol handler plug one warning dialog? That's a valid position to take, but I don't think the dialog would gain us enough security for it to be worth the annoyance. Guninski, comment 30: > The user should be aware what mozilla starts - the same way with plugins and > helper applications. I'm not notified the first time Mozilla uses the flash plugin. When a program registers a URL scheme, it's essentially registering itself as a plugin for all browsers installed. It doesn't make sense to require a plugin or plugin mimetype to be whitelisted, so I don't see how it makes sense to require a url scheme or url-scheme-handling program to be whitelisted. By the way, mIRC and Shareaza pop up dialogs when you follow irc:// and magnet:// links, respectively. These dialogs explain exactly what will happen when you click ok to the dialog. This makes the proposed Mozilla dialog redundant, and makes the application's dialog (which is more important) less likely to be read. If Mozilla has a whitelist, applications will find a way to add themselves to Mozilla's whitelist when they are installed, and having a whitelist won't accomplish anything.
For comment 35: >And you would rather have Mozilla be as secure as the most insecure application >which has a protocol handler plug one warning dialog? That's a valid position >to take, but I don't think the dialog would gain us enough security for it to be >worth the annoyance. This is much better than blindly executing the external application. An option "silently ditch everything external" is also an option. > I'm not notified the first time Mozilla uses the flash plugin. On my computer the flash plugin does not start because of it security history - I have rm'ed it . It is in known location and mozilla advertise it as plugin. This does not apply for the vbscript: protocol. >By the way, mIRC and Shareaza pop up dialogs when you follow irc:// and >magnet:// links, respectively. These dialogs explain exactly what will happen >when you click ok to the dialog. This makes the proposed Mozilla dialog >redundant, and makes the application's dialog (which is more important) less >likely to be read. But the vbscript: protocol does not ask you anything, right? I vote for an empty whitelist. The fact that this bug is open shows that there is a bug with vbscript and mozilla. If the next IE install a protocol msbar: , should mozilla release a new version to blacklist it? If a worm takes an advantage of IE's bugs and owns mozilla users, what shall mozilla.org tell - "it is not our fault, just our blacklist is a bit incomplete" ?
I'm not so much worried about external 3rd party apps that the user may download and which may, at some point in the future, add themselves to the Mozilla whitelist. First of all, the user has to install those themselves. Secondly, they are not likely to accidentally launch Internet Explorer or some other piece of Microsoft "middleware" with a large number of potential holes. I'm more worried about the pile of URL schemes that Microsoft ships by default in Windows that are likely to launch a very large amount of code that we don't trust and that the user did not specifically ask for. If Microsoft starts adding those schemes to Mozilla's whitelist, well, we'll fight that battle when we come to it. But I will bet you one dollar they will not do that.
Win WinXP with SP1, you can delete entire directories by getting the user to click on a link. See http://22.214.171.124/helpcenter.htm for discussion and an example (which will delete a test directory!). It involves invoking an hcp: url, ironically part of the Help Center code in sp1. From the page: To try it out, do the following, but, BE WARNED, it will delete ANYTHING you put in the "test" directory. (I should point out, sub-directories aren't deleted, and user permissions may have an effect) Create a folder called "test" at the root directory of your hard drive. (i.e: c:\test\) Put some files in it (junk, files you don't care about losing - create some new text documents or something). Then, copy and paste the "link" below into your address bar and hit enter. Wait a few seconds, the "Help Center" should pop up.. then, once you've closed the help center, check that directory again. You should notice the files in the directory you created are gone.. This should be frightening to any Windows XP user, because anyone could link it on any webpage.. definatly a terrible flaw in the Windows Help Center included in XP. copy and paste this link into your address bar and hit enter.. hcp://system/DFS/uplddrvinfo.htm?file://c:\test\* - or click here.
Oh yeah, one more comment from there: Easy Fix(es) ... 3. <del>Use a browser other than IE</del> (doesn't work - mozilla did the same thing as ie)
This is a blocker for 1.2beta.
adt wants this, but we need to see a branch patch to approve.
Guninski, comment 36: > On my computer the flash plugin does not start because of it security history - > I have rm'ed it . It is in known location and mozilla advertise it as plugin. > This does not apply for the vbscript: protocol. Ignoring the Windows operating system settings for protocol handlers would be an odd thing to do, considering that one common complaint about Mozilla is that it does not honor operating system settings. rm'ing Flash is a pretty geeky thing to do. Possible geeky prefs: - A button to open the Windows prefs for URL schemes and file types. - An add-on that creates a UI for HKEY...\PROTOCOLS\Handler\ within Mozilla's prefs. - "Alert me the first time I use each installed plug-in". But since most users don't look through prefs this obscure, we should concentrate on debating the defaults. Guninski, comment 36: > This is much better than blindly executing the external application. An option > "silently ditch everything external" is also an option. You have yet to convince me that putting up a dialog is better than "blindly executing" the OS's default app for a protocol and using a blacklist for protocols known to open Internet Explorer. In my previous comment, I mentioned two ways it's worse: users are less likely to read mIRC's or Shareaza's more informative dialogs after seeing our dialog, and our dialog would only protect some users while annoying most. Me, comment 35: >> By the way, mIRC and Shareaza pop up dialogs when you follow irc:// and >> magnet:// links, respectively. Guninski, comment 36: > But the vbscript: protocol does not ask you anything, right? Correct. roc+moz, comment 37: > I'm more worried about the pile of URL schemes that Microsoft ships by default > in Windows that are likely to launch a very large amount of code that we don't > trust and that the user did not specifically ask for. So you're letting Microsoft dictate to us that we cannot make Mozilla as compatible with plug-in-like programs as Internet Explorer is?
For Comment #42: Jesse Ruderman, are you aware of the amount of web/email malware for IE? Do you realize that a very small modification of most of this malware will make Mozilla on windows vulnerable (via IE) - it will work from both web and HTML email? Once again blacklist is not a solution.
> > I'm more worried about the pile of URL schemes that Microsoft ships by > > default Windows that are likely to launch a very large amount of code that > > we don't trust and that the user did not specifically ask for. > > So you're letting Microsoft dictate to us that we cannot make Mozilla as > compatible with plug-in-like programs as Internet Explorer is? I'm not letting Microsoft dictate anything. I'm looking at these Microsoft-specific URL schemes and concluding that on the balance, the security risks outweigh their usefulness in Mozilla. (Note that most Microsoft-specific URLs probably won't even work in Mozilla without ActiveX and IE-specific HTML/CSS/DOM support.) Note that Microsoft is in the habit of forcing "upgrades" down users' throats so the list of schemes we want to ignore is quite likely to grow faster than the user upgrades Mozilla. Hence a whitelist is required. If we do a careful analysis of a particular URL scheme that seems particularly useful in Mozilla and particularly risk-free, then we can add that scheme to the whitelist. Your mIRC and Shareaza protocols might be candidates. BTW one of my fundamental ideas is that Mozilla.org code should prefer security over convenience to a greater degree than other distributors of Mozilla.org code might. This is because it's much easier to detect inconvenience and reconfigure or patch Mozilla to fix it, than it is to detect insecurity and fix that. Also, users of Mozilla.org code are on average geekier than most users. So while I would recommend a whitelist for all Mozilla distributors, if Netscape (say) decided to change that, or add a number of protocols to their whitelist, I'd understand.
I think, redundant confirmation for IRC clients (for example) is not a problem - according bug 167473 user may remember one's decision and afterward see only IRC client dialogs. I vote for empty whitelist just now and for whitelist containing well-known usable protocols (irc://, magnet://, realaudio:// etc.) with confirmation dialog for each one when bug 167473 will be implemented. Further, if software developers will want to introduce their own additional protocols, they may register it in Mozilla whitelist. But remembered user decisions for confirmation dialogs must be saved in user profile in order to prevent developers from launching their applications without user confirmation.
Echoing dveditz, adt wants this, but we need to see a patch.
Also see bug 172498..
Comment #8 shows approximately when the bug get introduced. What about removing the checkin that introduced the bug?
Bug 172498 demonstrates that genie breaks away from a bottle... I have a suggestion about new algorithm for protocol handlers, see bug 167475 comment #9 But now we can use this regfile to avoid exploiting: ----- begin of EXTERNAL.REG ----- REGEDIT4 [-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\hcp] [-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\vbscript] [-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\vnd.ms.radio] ----- end of file ----- I use this and for the time being don't see something unwanted.
I have entered bug 173010 for discussions about whitelist.
CCing myself & Evelyn Prime MacAdam.
Comment on attachment 102263 [details] [diff] [review] Patch - blacklist known dangerous protocols r/sr=darin for the code changes (modulo any changes to the list of explicitly blocked external protocol handlers).
Comment on attachment 102263 [details] [diff] [review] Patch - blacklist known dangerous protocols sr=dveditz
Mitchell, it's great! I can suggest this (taken from Windows 2000 & XP system registry): cdl: ipp: its: local: mhtml: mk: ms-its: msdaipp: res: sysimage: But, according Georgi Guninski's comment #36, whitelist with mailto:, irc:, magnet:, realaudio: and, probably, another established and usable protocols could be a better solution. I hope, "reverting" logic of patch isn't so difficult.
Comment on attachment 102263 [details] [diff] [review] Patch - blacklist known dangerous protocols firstname.lastname@example.org for 1.0 branch. CHange mozilla1.0.2+ to fixed1.0.2 when checked in. I still do worry about not having a whitelist, but this is a step forward.
When this is checked in to the trunk let's mark this one "fixed" and use one of the other bugs for the more general/flexible solution since that work doesn't need to be confidential.
*** Bug 172498 has been marked as a duplicate of this bug. ***
Fix checked in on trunk and 1.0 branch, adding fixed1.0.2.
Verified on 2002-10-11-branch build on Win 2000 Clicked on the Demonstration and nothing happened. This is the expected result. Added keyword verified1.0.2. Will change status to Verified Fixed after verifying the bug on latest trunk.