Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

URLs are a magically way to reference a resource or an application. The most common type of URL that we seen is the https URL. However, what if these could be used in a malicious way? This article demonstrates how a link that does not validate the schema of a URL could lead to code execution.

OSes commonly handle links for us. With different URI handlers, they can do different things on the computer for us. Desktop application like to go to the specified links for us. On Windows, this is commonly done via the ShellExecute; on Linux, this is done with xdg-open. If these do not sanitize the input, code execution may result.

The author goes into how to exploit these issues per platform. However, instead of discussing each of the OSes, we'll talk about the individual issues that were being exploited.

The NextCloud Desktop client was using openURL for the native OS in order to open up the proper data. However, because the URLs were not sanitized at all, this left open the possibility for exploitation. How would one go about this?

On Windows and Linux, using the sftp (secure ftp) URI, an attacker could embed a proxy telnet command which would run on the users machine when clicked on. Additionally, using SMB to load arbitrary jar files could also work. On the Telegram Desktop client, a similar issue as the one above was found that allowed for the same exploitation path.

On VLC, if a user loads a malicious playlist on their local machine, clicking on the links can be a security issue. When a jar (compiled Java code) is loaded on Windows, this leads to RCE. By specifying a remote file (with two leading slashes - \\) or a file URI path, this runs user code. On Linux, the lack of an auto mount feature makes this not possible for remote exploitation.

On Libre Office, clicking on a link could be abused on both Windows and multiple versions of Linux in order to execute arbitrary commands. As before, this auto-mounts a file to the local machine then executes the jar file.

The last several findings are all the same. Click on a malicious link and pop a shell within the client. The last few are in A similar issue exists with Mumble, Bitcoin/Dodgecoin wallet and Wireshark.

The bonus vulnerability is an issue with WinSCP though. By creating a specially crafted winscp URL, it will pop a shell! WinSCP decided that this was a security issue and fixed it.

A couple things should be noted about this article. First, in order to exploit these issues specific software sometimes needs to be installed (such as WinSCP). Secondly, these does require some user interaction in most cases.

Overall, awesome article diving into the world of bad URL links. In the future, I'll be on the look out for this!