
Abusing Protocols to Load Local Files, Bypass the HTML5 Sandbox, Open Popups - jontro
https://www.brokenbrowser.com/abusing-of-protocols/
======
dvt
Exotic protocols being somewhat succeptible to exploits is nothing new
(Chrome, Firefox, and Safari have had these in the past as well) and they
generally get fixed pretty quickly.

However, the fact that the "read:" protocol is a thing -- and the fact that it
works the way it works -- is absolutely insane. Who in their right mind would
think that's a good idea? Forget sandboxing, who's bright idea was it to let a
web browser access local files willy-nilly? Mind-boggling.

The first thing I'd say if someone came to me with that idea is (a) no way and
(b) if you really want to do it, you need a security mechanism like 300x
stronger than CORS and probably a popup that lets the user know what's going
on.

~~~
Klathmon
Even (b) is pushing IMO. There's a reason the standards have evolved to be
this restrictive. If you want to allow a way to get around those restrictions
(with "you" being a browser vendor), then you should go through the
standardization process.

9/10 these "good intentioned" additions to browsers end up being used in
exploits, and even if they aren't just being in one browser is rarely useful.

~~~
dvt
Yep, totally agree. The exploiting potential far outweighs the usefulness.

------
Animats
It's so Microsoft. Microsoft has a long history of executing anything that
looks executable, going back to "autorun" on CD-ROMs. This continued through a
long history of Excel and Word executable behaviors, most of which led to
exploits. For a few years, Microsoft cleaned up their act. But in the new
cloud-centric world of Windows 10 and the Edge browser, it seems that
Microsoft has returned to their old strategy of invoking Microsoft products on
external data whenever possible.

The "ms-windows-store:" protocol is documented.[1] Some other fun things you
can launch:

\- ms-people: - Opens the contacts list program.

\- ms-settings: - Opens the settings program. Microsoft encourages using this
so that if your app wants, say, to access the microphone, and privacy settings
won't permit it, it can force the privacy settings app open to apply pressure
to the user to let the app use the microphone.

\- ms-windows-store: - aim user at the Windows store for a specific item

\- bingmaps:, ms-drive-to:, and ms-walk-to: - bring up the native map
application

\- ms-tonepicker: - mess with ringtone settings

There's no mention of "read:", though.

However, any installed app can install new protocol IDs, and web pages can
then trigger that app. What could possibly go wrong?

[1] [https://msdn.microsoft.com/en-us/windows/uwp/launch-
resume/l...](https://msdn.microsoft.com/en-us/windows/uwp/launch-
resume/launch-default-app)

~~~
frik
Microsoft devs who were responsible for WinNT, Win32, IE3+ almost all retired
by now. A huge brain drain. Win10 and all of their products since around 2011
are such a mess and of rather lower quality than their older products, it's
not even funny anymore. It would be good for them to learn from their past
mistakes, like IE and ActiveDesktop had basically the same security problems -
that was fixed with WinXP and IE6, now with Win10 and Edge they are back in
WinME and IE 5.5 days.

~~~
JoeAltmaier
I thought the quality dive was coincident with abolishing their test teams?
Didn't they do that? Made all engineers responsible for their own testing.
Which is insane.

~~~
imglorp
Yeah good point. The timing does line up.

[http://www.networkworld.com/article/2453929/microsoft-
subnet...](http://www.networkworld.com/article/2453929/microsoft-subnet/would-
microsoft-really-cut-its-qa-department.html)

------
userbinator
_Next match in the registry is the calculator: protocol_

...

 _There is a lot of interesting stuff here to play with, and if we keep
searching for protocols we will find tons of apps that open (including Candy
Crush which I didn’t know it was on my PC)._

The only thing in my mind when I read this was " _Why!? I don 't even..._"
What sort of thought process (or perhaps lack thereof) lead to this
ridiculously absurd situation of protocol proliferation? Who needs a
Calculator or Candy Crush protocol? What's worse is there doesn't seem to be
an easy way of viewing or modifying the list of registered protocol handlers.
Contrast this with earlier (Presto) versions of Opera, where the protocols are
configurable from the UI:

[http://www.freeemailtutorials.com/i/operaMailGenPrefs2.png](http://www.freeemailtutorials.com/i/operaMailGenPrefs2.png)

~~~
swiley
Configuration is evil and confusing. The users just need to be able to open
calculator from their friend's Facebook profiles.

~~~
rosstex
Brb cleaning up the coffee on my lap

------
Piskvorrr
Well, there you go. New IE, same as the old IE. Glad I don't have any of that
anymore - reading the article, I felt the dread of "but this browser has a
_special_ relationship with the OS" wash over me again. I prefer my
applications isolated, thank you very much.

(Yes, I know it's not-IE-anymore-nooosir. What's in a name?)

~~~
frik
No wonder. Edge is based on the improved and refactored IE11 (trident) HTML
codebase. The rather good UI of IE 3-11 has been replaced with a lousy new UI.
One step forward, two steps backwards.

~~~
Piskvorrr
Well, I would think that "interoperating with external programs" is a part of
UI, not of the renderer - but that's a bit of a grey area.

------
Klathmon
Was this properly disclosed? Has it been fixed?

I didn't see anything in the article about this but I may have just missed it.

But aside from that, this is a pretty big deal. MS Edge has been looking
pretty good lately. It felt like they have been taking security more
seriously, and the new AppGuard stuff looked interesting, but even that
doesn't look like it would fix this as it looks like this is "working as
intended" letting any link communicate outside the "web sandbox".

I was hoping Edge wouldn't go down the same path that IE did with "special"
tie ins to the OS, but it seems they are still trying.

~~~
vesinisa
> I was hoping Edge wouldn't go down the same path that IE did with "special"
> tie ins to the OS

Any app on Android, iOS or Windows can register themselves as a handler for an
URI scheme. There is nothing "special" about that. It's up to the app author
to ensure this does not expose an attack surface.

~~~
Klathmon
Not saying it's special, but at least on chrome it will ask if you want to
open that link in another application. Here it seems at least built-in MS
applications are exempt from that.

~~~
matt_kantor
I believe that prompt is a Chrome feature, not an OS feature.

------
leephillips
I discovered a similar vulnerability in OSX in 2004. Some things change
slowly:

[https://lee-phillips.org/sshv.html](https://lee-phillips.org/sshv.html)

At the same time, others were discovering similar vulnerabilities using other
protocols. (I know the page looks like crap, so don't bother mentioning it.)

~~~
curiousgal
>it is trivial to construct URLs that execute arbitrary code on a _web surfer_
's machine.

Forget the design, it's "web surfer" what gives the old page age away.

Joking aside, they've put more thought into the tel URL scheme, that allows
you to start a phone call on iOS, by disallowing the use of * and # [0].

0.[https://developer.apple.com/library/content/featuredarticles...](https://developer.apple.com/library/content/featuredarticles/iPhoneURLScheme_Reference/PhoneLinks/PhoneLinks.html#//apple_ref/doc/uid/TP40007899-CH6-SW1)

------
oftenwrong
I submitted the same url earlier, but it seems the duplicate dectection didn't
prevent this story from being created. Maybe because the headline was
different? Not complaining; just contrary to my expectations. What is the
logic behind HN's dupe-detection?

~~~
detaro
I believe it only looks back a very short time unless the old story has got
points (or comments?) above a certain threshold.

------
ryanlol
Here's a (rather nsfw, and potentially time consuming) website demonstrating
some older tricks like these, [http://hn.on.nimp.org/](http://hn.on.nimp.org/)

~~~
userbinator
GNAA LastMeasure, _extremely_ NSFW and somewhat well-known shocksite.

Noteworthy in that it uses alternative protocols to open dozens of other
windows, and thus is able to shock users quite a bit even with JavaScript off.

~~~
Senji
It's due for a rewrite with mobile browsers and hosing the host system with
expensive buffer reads and writes with canvas, and webworkers and the like.

------
gcb0
This is very well written. Felt like I was diving in at the same time as the
author.

------
ndesaulniers
> Let’s run the code and feel the break. Well, I feel it baby =) breakpoints
> connect me to my childhood.

lol

------
eximius
Is this windows only? I found the article somewhat hard to follow for some
reason.

~~~
dgoldstein
Yes. It's a problem with ms Edge's handling of custom URL schemes, which are
registered via the Windows registry

------
g00gler
Site is offline :o

