Black Hat : The Google Teabag (and other URI tricks)

WASHINGTON,
DC.  There are alot of
different ways to trick browsers into letting hackers do things that they
should not be allowed to do. Some of them have to do with URIs.

 In a presentation at
Black Hat, security researchers Nathan McFeters and Rob Carter argued that URI
exploitation is an area that is still ripe for further analysis and
exploitation.

 URI’s allow browsers to load applications and protocols for
example http:// for web and ftp:// for FTP. Other common URI’s are AIM:// for
instant messaging and firefoxurl:// for loading a Firefox browser.

 McFeters noted that every URI
registered on your system can be interacted with by a browser. Application
developers commonly create URI hooks into their apps. Sometimes those URI hooks
can be used by an attacker to do ‘bad’ things.

One such application with a URI
hook is Google’s Picassa photo application. That’s where the T-bAG (trust based
applet attack) comes in. The attack involves a user clicking on a Picassa URI
(Picassa://) that causes a button to be loaded inside of a user’s Picassa
application. In a nutshell, when the button is clicked the users images can be
stolen by the attacker.

Carter and McFeters were quick to
note that Google has now mostly fixed the URI issue by doing additional URI
bound and validation checks.

McFeters also demonstrated what he
called ‘Stupid IM Tricks’ where by taking advantage of IM URIs he could trigger
a message to be sent from a victim’s machine.

Scary stuff actually that looks
dead easy to do, in my opinion.

Overall McFeters sees URIs as a
target rich environments that affect Windows, Linux and Mac. To make matters
even worse McFeters argued that in many cases there is no need for the URI
(which could lead to an exploit) to exist in the first place.

“I don’t think there is a
real reason why we need protocol handlers most aren’t really useful,”
McFeters said.