Security experience: Be careful when the Uniform Resource Identifier vulnerability is exploited

Due to the development of the network, the vulnerabilities of application software are endless. Although we should pay attention to the timely patching of these software, we can always find some neglected corners in the security field. For example, the Uniform Resource Identifier we will discuss here is an example.

When accessing a webpage, many people who use the Internet know what a Web address is, or at least use the word "Web address" as a synonym for a URL (Unified Resource Locator: this is a string used to identify a resource and can also be used to locate this resource.

In fact, a URL is a subset of a uniform resource identifier (also called URI. Uniform resource identifiers use a defined syntax that provides a simple and scalable way to identify and access Internet resources. Identifiers have this capability and do not need to worry about what applications are used by users. URI syntax is essentially a URI service name. For example, we are familiar with "http" (Hypertext Transfer Protocol). It must be followed by a colon during use, then the specific service provision section, for example:

Http://cn.yahoo.com is a URI that specifies the Chinese Yahoo homepage. This identifier also confirms that this page can be located from a network host named cn.yahoo.com through HTTP.

Mozilla developers often use a URI starting with "rdf", which allows access to a specific data source. For example, URI "rdf: history", the returned data source has information related to the user's browsing history.

URI can also be used to start an application from a browser. During the installation process, the browser will automatically store or register in the registry, and various URL protocol handlers, such as "mailto" and "nntp (network news transmission protocol. Each of these protocol handlers is related to an application, so that the browser starts an appropriate software when receiving the request. Therefore, if we click a link starting with "aim: goim", an AIM instant message window will be opened.

Although this feature can facilitate interaction between less complex user applications, many software developers do not fully understand the complexity of Uris and the possible consequences of placing them in the registry. Basically, adding a URI handler may increase the risk of application attacks.

Here we will talk about the security of Firefox. When installing this browser, it registers a protocol handler called "FirefoxURL", which potentially enables the URI in the Web page to start Firefox. Because of the URL Handler Registration Method, Windows cannot identify which type of input or request is valid. Therefore, when the browser encounters a URL that satisfies the internal FirefoxURL, it will call the ShellExecute command and pass all the requests, but will not confirm the validity of any input. That is to say, there is no check for the commands passed to ShellExecute. By forging a malicious URL, an attacker can pass parameters and data to an external application that runs when the requested URI is loaded. Malicious links are sent in an HTML email or embedded into a Web site.

Although Mozilla has released a patch, the URI issue is not just about browsers. Researchers Billy Rios and Nathan McFeters claim that they have discovered a "function-based vulnerability exploitation program ." Using protocol processing programs and using the legitimate features of popular software, the two researchers claimed they had found a way to steal data from the victim's computer, you can also upload the data to a remote server.

The exploitation of this URI Vulnerability will launch a new round of problems for developers and users. Developers need to evaluate whether their applications have legitimate reasons to ensure registration of a URI. Any application that registers a token needs to verify any data input and ensure that it is clean. If attackers can exploit the vulnerability to execute applications, they will use the privileges of the target users to achieve their goals.

The URI scheme is a very valuable resource and can be used to solve information space problems that are common around the world. Developers who create a new URI scheme will also create a new vulnerability exploitation program that attackers can exploit.

The best way to defend against a possible URI attack is to install the latest correction program from the browser vendor. Network administrators must remind their users not to open a link to the source site that they do not trust, or to open any non-requested HTML-format email. Attackers rely on user interaction. to make such an attack successful, the victim must open a link to a malicious site or open a malicious email. Finally, security experts must ensure that user accounts have only the necessary and minimum access permissions to complete their work.