WinSCP URI Handler Command Switch Parsing
Jelmer Kuperus found an exploit in WinSCP URL handling. I’ve found similar problems with a few applications that build new interfaces or hooks into browser applications with new directives (in this case it’s scp: but there are others, like mailto: that have caused lots of problems in the past).
This one in particular is pretty scary because it can actually be used to download items onto your computer (I’d suggest using a Meta tag or an iframe instead of a link if you wanted to be subversive but that’s just me). However, many others can actually leak user information or otherwise interact with your computer in ways you probably didn’t intend. Browser hooks in general seem like a scary thing to me.
For instance I was playing around with IETabs in Firefox. It seemed to me that allowing certain domains as IE allows you to introduce IE specific attack vectors into the Firefox platform by tricking it into thinking you are really on a site you aren’t. I tried the usual tricks like redirection obfuscation but no luck because of how that module looks at the URL only after it’s been rendered, not before. Anyway, if it had worked, it could have opened a lot of serious issues. I’ve seen similar problems with Greasemonkey’s regex, but I haven’t had a lot of time to find exploits in the canned JS code - though I know it’s definitely possible given the regex I’ve seen. These types of browser hooks are really scary because they aren’t vetted properly. The only saving grace here is that they aren’t that prevolant.
June 28th, 2006 at 11:48 pm
I known,URI is Uniform Resource Identifiers provide a simple and extensible means for identifying a resource
July 29th, 2006 at 10:47 am
[…] To the first, question, it depends completely on how they are linking to you. If they are using an iframe to show the image, absolutely. If they are simply using an IMG SRC tag, you are pretty out of luck. I’ve experimented with all sorts of redirection techniques but have come up dry. The best I’ve come up with is making it redirect to a mailto: tag, which will launch the user’s mail client, which can embed text (HTML, I’m afraid is not really an option there). You can do the same thing with the skype: directive if they have Skype installed, or scp: directive if they have WinSCP installed (there’s actually a known exploit in WinSCP if you wanted to install malware). Another option is to have it link to an RFC1918 (non routeable) address space to perform a function. Something like http://192.168.0.1/firewallsettings/makemeinsecure (this would only work if they were already logged in, the IP address was correct, and they had the correct type of router/firewall for whatever function we are talking about). Note that you can probably figure out the firewall/router that they are using since they are connecting to your machine and you’ll have their IP address by which to do recon. I don’t recommend doing any of this stuff, because they’ll know it’s you and you’ll probably end up in jail, but it can be done in theory. […]
September 26th, 2006 at 10:26 pm
this would only work if they were already logged in, the IP address was correct, and they had the correct type of router/firewall for whatever function we are talking about). Note that you can probably figure out the firewall/router that they are using since they are connecting to your machine and you’ll have their IP address by which to do recon. I don’t recommend doing any of this stuff, because they’ll know it’s you and you’ll probably end up in jail, but it can be done in theory.
September 27th, 2006 at 8:08 am
Well it’s pretty easy to predict the correct username and password and IP address since you want them to log into your machine not theirs. Firewall/router has nothing to do with this unless they are blocking port 22 (none do by default). They’ll definitely know what the IP address is, but they won’t know it’s the attacker unless that IP address just happens to also be their IP address. There’s no reason they can’t used a hacked host for this.
April 1st, 2007 at 1:28 pm
maternity dresses [url=http://tlurl.com/?aDPdD0AL]maternity dresses[/url] wedding dress [url=http://tlurl.com/?CmtRDJ3S]wedding dress[/url]