Firefox 2.0.0.6 still vulnerable to URI flaw

["carl hardwick" <hardwick.carl () gmail com>]

http://xs-sniper.com/blog/2007/09/01/firefox-file-handling-woes/

, Nate and I have discovered a way to "…exploit a common handler with
a single unexpected URI…"  Once again, these URI payloads can be
passed by the mailto, nntp, news, and snews URIs, allowing us to pass
the payload without any user interaction.  So, it seems that although
the conditions which allowed for remote command execution in Firefox
2.0.0.5 have been addressed with a security patch, the underlying file
type handling issues which are truly the heart of the issue have NOT
been addressed.

    We contacted Mozilla a while ago about the issue and they are
working on it.  We're going to refrain from giving out the exact
details of how this particular issue is executed (based mainly on the
efforts and conversations we've had with Jesse Ruderman), but we'll
include a screenshot of a payload in action.  In the screenshot below,
we use the mailto URI, which passes the URI to the Windows File
Handler, which calls the appropriate program (in this case Windows
Scripting Host), which in turn calls our attacker controlled file.
We've purposely pointed the Windows Scripting Host to a file that
doesn't exist as the error message allows the user to see that WSH is
using the URI passed from Firefox.

PoC here: http://xs-sniper.com/blog/wp-content/uploads/2007/09/file-handling.jpg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/