FORTINET, INC. FortiGuard Labs Threat Research Report
Affected platforms: Windows, Linux
Impacted parties: Chrome, Firefox and Edge
Impact: Leaking sensitive data
Severity level: Medium
Assigned CVEs: CVE-2020-15680
An important step in any targeted attack is reconnaissance. The more information an attacker can obtain on the victim the greater the chances for a successful exploitation and infiltration. Recently, we uncovered two information disclosure vulnerabilities affecting three of the major web browsers which can be leveraged to leak out a vast range of installed applications, including the presence of security products, allowing a threat actor to gain critical insights on the target.
In this post we will discuss what are protocol handlers and disclose two information disclosure vulnerabilities affecting three major browsers (namely - Firefox, Edge and Chrome). Exploiting these vulnerabilities will enable a remote attacker to identify the presence of a vast amount of applications that may be installed on a targeted system.
Overview - What Are Protocol Handlers?Generally speaking when talking about Protocol Handlers we are referring to a mechanism which allows applications to register their own URI scheme. This enables the execution of processes through the use of URI formatted strings.
The Windows OS manages custom URL handlers under the following key-
- HKEY_CURRENT_USERSOFTWAREClasses*
- HKEY_LOCAL_MACHINESOFTWAREClasses*
- HKEY_CLASSES_ROOT*
When a URL Handler is invoked the OS is searching within those locations for keys containing values with the name 'URL Protocol'.
For instance, we can use regedit to inspect the path at HKEY_CLASSES_ROOTmsteams and see that it contains the special Value of 'URL Protocol'.
Attachments
- Original document
- Permalink
Disclaimer
Fortinet Inc. published this content on 03 December 2020 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 04 December 2020 00:56:06 UTC
