SSD Advisory – VK Messenger (VKontakte) vk:// URI Handler Commands Execution
Credit to Author: SSD / Noam Rathaus| Date: Sun, 11 Mar 2018 10:51:34 +0000
Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope
Vulnerability Summary
The following describes a vulnerability in VK Messenger that is triggered via the exploitation of improperly handled URI.
VK (VKontakte; [..], meaning InContact) is “an online social media and social networking service. It is available in several languages. VK allows users to message each other publicly or privately, to create groups, public pages and events, share and tag images, audio and video, and to play browser-based games. It is based in Saint Petersburg, Russia”.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Affected Version
VK Messenger version 3.1.0.143
Vendor Response
The vendor responded that the problem no longer affects the latest version – but didn’t provide any information on when it was fixed and whether it was fixed due to someone else reporting this vulnerability.
The VK Messenger, which is part of the VK package, registers a uri handler on Windows in the following way:
Vulnerability
When the browser processes the ‘vk://’ uri handler it is possible to inject arbitrary command line parameters for vk.exe, since the application does not properly parse them. It is possible to inject the ‘–gpu-launcher=’ parameter to execute arbitrary commands. It is also possible to inject the ‘–browser-subprocess-path=’ parameter to execute arbitrary commands. Network share paths are allowed, too.
Example of attack encoded in HTML entity:
1 | <iframe src=‘vk:?” --gpu-launcher="cmd.exe /c start calc" --’></iframe> |
When opening a malicious page, a notification box asks the user to open VK.
NOTE: The application is not in the auto-startup items, and the issue will work if the application is not already started.
As attachment, proof of concept code.