Fwd: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype





I know I've jumped on this conversation late, but it seems to me that this
is not a "URI/RL" handling problem. Like was mentioned earlier, this is
probably a content-type/file association/command string handling problem. I
was recently researching the image file "exploit" from splitbrain.org (
http://www.splitbrain.org/blog/2007-02/12-internet_explorer_facilitates_cross_site_scripting).
During the research, I ran across the IE7's dev team's blog (
http://blogs.msdn.com/ie/archive/2005/02/01/364581.aspx) where they describe
how IE7 determines how to process content based upon the first 256bytes of
the information rather than directly based upon how information is passed
from the server. I quote "If it cannot find the clsid, the file will be Shell
Executed<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/shellcc/platform/shell/reference/functions/shellexecute.asp>and
shell will use the extension to determine the application to handle
the
file." So, I wonder if these two incidents are some how related at the shell
process level.

In the original posting, The string (
mailto:test%../../../../windows/system32/calc.exe".cmd<test%../../../../windows/system32/calc.exe".cmd>)
would be processed as a command script as indicated by the percent sign
(variable identifier) and the ".cmd" and "overwrite" the mailto initator. In
the case of the ".doc" and ".txt", it appears the final association will
determine how the rest of the string is processed.

File association plays a role because command line will attempt to launch
the default mail handler. This seems to indicate the problem is at a "lower"
level than the browser/mail client. This would explain why it works equally
well despite having Firefox, IE7, thunderbird, or outlook.

Based upon the IE7 blog posting, it seems this fundamental change may have
been introduced with IE7/XPSP2. However, this is mainly theory. I have
tested the "malicious" string on an XP (no service pack) and IE6. The string
was processed as described. Meaning the default mail-client (in this case
outlook express6) launched with the string in the "TO:" line of a blank
email.

All of this may seem obvious, and if I'm re-stating information, I
apologize. As far as possible mitigation techniques, microsoft also
described the "new functionality" of XP SP2 in this tech net article,
http://technet.microsoft.com/en-us/library/bb457150.aspx. They describe what
registry settings can affect how content logic can be forced. I haven't
really tested this solution because I've been busy. But these are some loose
thoughts on the subject.

merigoth



Relevant Pages

  • Memorial Day report
    ... the pieces I'd fused with my bare match used a double string (parallel ... My film cannister shell was a test of my first use of homemade piped ... One of the stars distinctly changed from ... I get a good fire seal and fit to the mortar without noticeably ...
    (rec.pyrotechnics)
  • Re: Pattern matching within ,, and ^^ parser
    ... No, it is pretty good indication that the OP thought that, as you were ... People who are not versed enough to know the shell command language ... So they have a string value in a sh-based shell (which, as it turned out, ... rather than a here document or a pipe or just passing a string to the awk ...
    (comp.unix.shell)
  • Re: Off center spiking
    ... 32 - The procedure is the same for any diameter shell. ... strands of cotton, laying flat next to each other both vertically ... pick a guide mark on top and wind to the bottom matching ... shell from what appear to be two separate strands of string. ...
    (rec.pyrotechnics)
  • Re: Off center spiking
    ... Your video is worth 1000 times that. ... 32 - The procedure is the same for any diameter shell. ... strands of cotton, laying flat next to each other both vertically ... shell from what appear to be two separate strands of string. ...
    (rec.pyrotechnics)
  • Re: TRUE is 0 is FALSE
    ... The shell is innumerate, so it is silly to suggest that its true ... In conditionals, a nonempty string is true, empty string is false. ... A number behaves as boolean ...
    (comp.unix.shell)