Google Apps googleapps.url.mailto handler command injection

Added: 10/13/2009
BID: 36581

Background

Google Apps is a web-based productivity suite hosted by Google.

Problem

Google Apps handles googleapps.url.mailto URLs by passing the URL as a command-line argument to the googleapps.exe program without sufficiently validating the URL. This allows command execution when a user opens a specially crafted web page.

Resolution

Do not open HTML pages from untrusted sources, or deregister the URL handler by deleting the following registry key: HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\shell\open.

References

http://www.securityfocus.com/archive/1/506888

Limitations

Exploit works on Google Apps 1.1.110.6031 and requires a user to open the exploit page in Internet Explorer.

The exploit.exe file must be downloaded from the exploit server and placed on the specified SMB share before this exploit can succeed.

Platforms

Windows

Back to exploit index