Fortinet Inc.

12/03/2020 | Press release | Distributed by Public on 12/03/2020 18:54

Leaking Browser URL/Protocol Handlers

FortiGuard Labs Threat Research Report

Affected platforms: Windows, Linux
Impacted parties: Chrome, Firefox and Edge
Impact: Leaking sensitive data
Severity level: Medium
Assigned CVEs: CVE-2020-15680

An important step in any targeted attack is reconnaissance. The more information an attacker can obtain on the victim the greater the chances for a successful exploitation and infiltration. Recently, we uncovered two information disclosure vulnerabilities affecting three of the major web browsers which can be leveraged to leak out a vast range of installed applications, including the presence of security products, allowing a threat actor to gain critical insights on the target.

In this post we will discuss what are protocol handlers and disclose two information disclosure vulnerabilities affecting three major browsers (namely - Firefox, Edge and Chrome). Exploiting these vulnerabilities will enable a remote attacker to identify the presence of a vast amount of applications that may be installed on a targeted system.

Overview - What Are Protocol Handlers?

Generally speaking when talking about Protocol Handlers we are referring to a mechanism which allows applications to register their own URI scheme. This enables the execution of processes through the use of URI formatted strings.

The Windows OS manages custom URL handlers under the following key-

  • HKEY_CURRENT_USER\SOFTWARE\Classes\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*
  • HKEY_CLASSES_ROOT\*

When a URL Handler is invoked the OS is searching within those locations for keys containing values with the name 'URL Protocol'.

For instance, we can use regedit to inspect the path at HKEY_CLASSES_ROOT\msteams and see that it contains the special Value of 'URL Protocol'.