Abusing browser news URL handlers

Time for some more fun with browser URL handlers! This time we'll take a look into abusing the handlers for news/snews/nntp. Check out Fingerprinting Browsers Using Protocol Handlers, Abusing the "data" Protocol to Patsy Third Parties and Web browser DoS using javascript protocol in iframe src for previous posts regarding browser URL handling shenanigans.

Windows Mail is the default news reader in Windows Vista and is launched by default and without warning whenever a snews/news/nntp URL is opened in Safari, Firefox and Chrome.

Adding arbitrary newgroups

Whenever the client is initiated from within the browser the destination news server is added to the user's list of news groups regardless of whether a NNTP server answers. When the client is closed all invalid added news groups are lost unless we can cause the client to crash.

Denial of Service

It just so happens that Windows Mail fails horribly due to a stack overflow when given 8+ simultaneous connections which lets us crash a user's client from within the browser.

If the client is not already open then it's opened and then crashed. Ten connections should be sufficient to cause a crash just in case the user manages to close a couple.

Here's a video demonstration of the stack overflow:

Now we know we can crash a user's client lets leave a message for the user using the names of newsgroups (see image below)

Window Bombing

Miss the days of JavaScript popup window bombs? Launching a hundred instances of Windows Mail is equally annoying:

How about adding 1,000 news groups to their client?

Decloaking

Perhaps the most interesting and useful application for Windows Mail client abuse from within a browser is the ability to decloak a user behind a proxy. If the client is not configured to use a proxy we can force it to connect directly to a NNTP server under our control. All we need is a NNTP server and a single line of code:

Where 127.0.0.1:119 is the user:port of our server. For a simple listening server I used ruby-nntpd. Just add "puts sock.peeraddr" in the run method around line 170 of nntpd.rb and you're good to go:

It's not exactly stealthy as a warning message is thrown (see image below) but may still be of some use for those of you who like offensive-defense.

Notes

JavaScript was used to make the proof of concept code easier to read. It does not need to be enabled to perform any of these tricks.

Google Chrome doesn't like opening more than one instance of Windows Mail. As a result out of the aforementioned tricks only decloaking is possible.

Opera is not affected.

Internet Explorer 9 does not allow Windows Mail to launch without user confirmation. Earlier versions of IE are untested.

If the Windows Mail client is not installed, no news reader is present or the snews/news/nntp URL handlers are disabled then the browser will throw a warning advising it does not know how to handle the snews/news/nntp URL.

Appendix

PoC: Proof of Concept [Live]

Video: Crash Windows Mail client from a web browser [PoC]