Hello, welcome to the Friday, May 24, 2019 edition of the Sansonet Storms and StormCast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Today we'll start out with a blog post by Dom, also known as Serapone, who is writing about the

dangers of custom URI schemes.

Now for the most part when we're talking about Y's, we're talking about YRIs that start

with HDP colon, maybe FTP colon, but the software can define its own URI schemes and

registered them, which means if you are

clicking on a link that starts with that custom URI scheme, this software may be executed.

Now you typically do get a warning, but you often expect this to happen.

Slack is a big example where this has caused problems in the past, and the problems usually

arise from the parameters being passed from DRI to the software.

Now DOM uses as an example here at the electronics are origin client.

It also defines an origin colon as well as origin two colon, URI scheme and on Windows

well if you click on a link like this, it will trigger the launching of origin and then

parameters are passed to it.

Now, initially you may think, hey, I can just do now arbitrary command execution by sort of doing

essentially shell injection.

It's not quite that easy.

You cannot sort of inject your own commands, but you can manipulate any command line parameters

being passed to the software and that in turn may then execute commands.

Another issue that the attacker has to overcome here is encoding the browser may enforce, but the DOM here shows at the example of origin

how this vulnerability can pretty easily be exploited.

...