PGP key for vulnerability reports

Yves Younan yyounan at
Wed Nov 27 11:58:13 EST 2013

On 27, Nov2013, at 9:49, Daniel Atallah <datallah at> wrote:

> It looks like this may be browser specific behavior (or perhaps OS specific).
> I'm unable to to recreate this scenario on a Windows 7 test VM with the http handler set to Firefox 25.0.1 (I do have Java 1.7.0_45 registered as the handler for .jar files).
> The ShellExecute call is what fails (returns ERROR_FILE_NOT_FOUND) - the same thing that happens when I try to invoke "file:///C:/windows/notepad.exe".
> The behavior is clearly different than when using Start->Run with the same URL.

In Pidgin the URL is a little different: file://C:\Windows\notepad.exe is the correct URL to execute a program in Pidgin.
Here’s also a .jar file that will execute (i.e. remote code execution) notepad with a file argument (C:\:users\desktop.ini): file://\\\DavWWWRoot\test.jar (note this may take up to a minute the first time as it needs to connect and download etc.)

> That looks like what I'm hoping the browser would do (and the filtering that we've been counting on by sending everything to the browser).
> I guess we probably should filter out "file" URLs using the file scheme, but if we can't trust the browser just blacklisting that scheme doesn't seem like it solves very much.
> I don't like the idea of maintaining a blacklist of patterns that we should be filtering (or a whitelist either for that matter) - it isn't a reasonable thing for each application to maintain.
> I won't have time to test this any time soon, but is it likely that we're only vulnerable if the browser isn't doing the right thing (based on my inability to recreate it above)?
> What are the specifics of the OS and default browser configuration under which you were able to demonstrate the issue?
I’ve tried it on multiple Windows 7’s 64 bit with default browsers being both firefox and chrome. Now the way you’re calling ShellExecute it doesn’t matter which browser is the default. You’re calling ShellExecute with “explorer.exe”. That will pass http:// etc URLs to the default browser as you expect, but it will handle file:// itself. That’s why you’re seeing a difference in behaviour. Open an explorer (not IE, the shell explorer) and enter file://C:\Windows\notepad.exe in the url bar there. You’ll see it executes the program. The same thing happens for the .jar file and this is the behaviour that Pidgin is exhibiting.


More information about the security mailing list