Re: [Full-Disclosure] shell:windows command question

["Keith " <keith@xxxxxxxxxxxx>]

I am the one that reported
http://bugzilla.mozilla.org/show_bug.cgi?id=167475.  Since, I saw the debug
team marked the report public, I will comment on it.  I agree with Andreas
that it is a very serious security flaw.  When I was playing around with it
I found some of the suffixes it responded to are 

 

mov

grp

its

mp3

txt

ppt

doc

xls

xsl

avi

psd

ai

js attempts to run with wscript

vbs attempts to run with wscript

reg

zip

sql opens in notepad.exe

mdb

shs (scrap)

chm

config opens in visual studio

aspx opens in visual studio

dbs opens in visual studio

eml

 

The most obviously dangerous extensions being .vbs, .js, .reg.  I am sure
there are many more.    This is dangerous as any program called by the
command runs with local zone privileges.  So until the patch is applied any
script or program can be called from the address bar by shell:pathtofile.
Also, Andreas is right about the potential of a buffer overflow.  Along with
the .mp3 and .grp extensions he mentioned, .eml files also seem to be
susceptible to this.  Hopefully the patch will be available soon and it will
stop more then just the extensions named in previous posts. 

 

As a side note, I was very impressed with the Mozilla team's response.  They
were very fast and Bugzilla keeps the reporter in the loop.  On the other
hand, when I reported a similar use of the shell command to MS and explained
how it could be used to escalated privileges their replay was "Thank you for
your note. While a remote server can get local data to display in the client
browser window by using these protocol handlers, it is not able to read the
data itself."  As we have seen, Jelmer and http-equiv have shown that this
certainly is the case.