Closed
Bug 250356
Opened 21 years ago
Closed 21 years ago
Mozilla / Firefox will execute local programs in the system32 dir using the shell: code in html
Categories
(Firefox :: Shell Integration, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 250180
People
(Reporter: Perrymonj, Assigned: bugs)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1
-----snip------
center><br><br><img src="nocigar.gif"></center>
<center>
<a href="shell:windows\snakeoil.txt">who goes there</a></center> <iframe
src="http://windowsupdate.microsoft.com%2F.http-
equiv.dyndns.org/~http-equiv/b*llsh*t.html" style="display:none">
[customise as you see fit]
<http://www.malware.com/stockpump.html>
------end----------
The code above has interest to me.
Even in Mozilla the commands below will work.
<a href=shell:windows\\system32\\calc.exe>1</a>
<a href=shell:windows\system32\calc.exe>2</a>
<a href=shell:windows\system32\winver.exe>4</a>
Just save them to an .html file and run it.
The first one with the double quotes was from bugtraq:
Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash
<http://seclists.org/lists/bugtraq/2004/Mar/0188.html>
The links below that will run calc as well as winver.
It seems it calls windows as a virtual dir because c:\winxp is what I have.
I have been playing around to see if cmd.exe will work with it but without luck.
This is what is in the registry.
HKEY_CLASSES_ROOT\Shell
Look in the registry key above. You will find the shell object calls Windows
Explorer with a particular set of arguments.
%SystemRoot%\Explorer.exe /e,/idlist,%I,%L
Basically, I have been able to call several programs from the /system32 in
mozilla using the shell: call. This could easily be exploited with a BO if
passed to the correct local program.
Reproducible: Always
Steps to Reproduce:
1.<a href=shell:windows\system32\calc.exe>2</a>
2.<a href=shell:windows\system32\winver.exe>4</a>
3.
Actual Results:
After clicking on the links above in XP / Firefox 1.9 the specified applications
are launched.
Expected Results:
Mozilla should possibly blasklist the shell: protocol????
Comment 1•21 years ago
|
||
Already public and fixed.
*** This bug has been marked as a duplicate of 250180 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
thank you for your report, in the future if you could report it to us a day
before you mention it to full-disclosure instead of the other way around, that'd
be nice. :)
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•