I am the one that reported http://bugzilla.mozilla.org/show_bug.cgi?id=167475.
Since, I saw the debug team marked the report public, I will comment on
it. I agree with Andreas that it is a
very serious security flaw. When I was playing around with it I found
some of the suffixes it responded to are mov grp its mp3 txt ppt doc xls xsl avi psd ai js attempts to run with wscript vbs attempts to run with wscript reg zip sql opens in notepad.exe mdb shs (scrap) chm config opens in visual studio aspx opens in visual studio dbs opens in visual studio eml The most obviously dangerous extensions being .vbs, .js,
.reg. I am sure there are many more. This is dangerous
as any program called by the command runs with local zone privileges. So
until the patch is applied any script or program can be called from the address
bar by shell:pathtofile. Also, Andreas is right about the potential of a
buffer overflow. Along with the .mp3 and .grp extensions he mentioned,
.eml files also seem to be susceptible to this. Hopefully the patch will
be available soon and it will stop more then just the extensions named in
previous posts. As a side note, I was very impressed with the Mozilla
team’s response. They were very fast and Bugzilla keeps the
reporter in the loop. On the other hand, when I reported a similar use of
the shell command to MS and explained how it could be used to escalated
privileges their replay was “Thank you for your note.
While a remote server can get local data to display in the client browser
window by using these protocol handlers, it is not able to read the data itself.”
As we have seen, Jelmer and http-equiv have shown that this certainly is the
case. Keith McCanless |
- Re: [Full-Disclosure] shell:windows command que... Andreas Sandblad
- Re: [Full-Disclosure] shell:windows command... Andreas Sandblad
- Re: [Full-Disclosure] shell:windows com... Barry Fitzgerald
- Re: [Full-Disclosure] shell:window... Darren Reed
- Re: [Full-Disclosure] shell:wi... Barry Fitzgerald
- Re: [Full-Disclosure] shell:wi... Darren Reed
- RE: [Full-Disclosure] shell:windows command question Perrymon, Josh L.
- Re: [Full-Disclosure] shell:windows command question Andrew Poodle
- RE: [Full-Disclosure] shell:windows command question Clairmont, Jan M
- RE: [Full-Disclosure] shell:windows command question Perrymon, Josh L.
- Re: [Full-Disclosure] shell:windows command question Keith and Kelley
- Re: [Full-Disclosure] shell:windows command question Keith