IBM Application Security Insider

I would like to point out an interesting research done by Thor Larholm, which deals with URL Protocols.

The subject of URL Protocols was actually researched within the Watchfire Security Team recently and we reached different yet complementing findings to those of Thor.

URL Protocol is a mechanism built into different browsers to handle specific URL types with external applications.

For example: the URL: mailto://[email protected] opens an outlook composer window that is ready to send an e-mail to: [email protected].

This actually executes the mail application with specific arguments (parameters). The most interesting thing to note though, is that in Internet Explorer this execution is performed automatically (without user interaction) and can be forced on your browser by the site you browse.

Here are some ideas that Watchfire's Security Team had on the security implications of this feature:

• If one ever had complete control over a remote system and wanted to leave a simple backdoor, he/she could just register a new URL Protocol in the registry (CMD:// for example) that will execute the URL it receives in a CMD prompt.
  
  This can enable an attacker to send shell commands to the victim's computer every time the victim opens a browser and surfs to the attacker's web site.
  
• Of special interest is the callto:// protocol. This protocol is configured to execute the Netmeeting application by default, but it executes Skype instead, if it's installed on your computer. This can be exploited in various ways:
  • The attacker can initiate a call from the remote computer to himself and thereby tap the microphone on the victim's computer.
  • The attacker can initiate many calls on behalf of the victim and thereby waste his/her money.
  • The attacker can initiate a conference call to himself and to a person he/she wants to talk to and the victim will be the only one paying for it.
  In this scenario, the attacker's biggest problem is that the attack pops a Skype window on the victim's desktop. An attacker might be able to reduce this problem using JavaScript to focus the windows of the browser but obviously it is not ideal.

• You can create many automatic links to a specific URL Protocol (for example: mailto://) and by that open many outlook processes, creating a DoS situation that cannot be resolved by closing the browser.
  
• Microsoft Media Player oftentimes suffers from published/known Buffer Overflows. These attacks usually occur because the application has a bug in the way it parses media files. As a rule of thumb, Microsoft suggests that you only use trusted media files. There are several URL Protocols that enable an attacker to make the browser automatically open Microsoft's Media Player with untrusted streams. 

I hope that this research spills more light on the dangers of URL Protocols and emphasizes the dangers of allowing sites to control external application execution through the browser without user interaction.