Comment by Rohansi
17 hours ago
> * Small note on this specific CVE though: to the extent I looked into it [0], I'm not sure I find it reasonable to classify it as an RCE. It was a UX hiccup, the software was working as intended, the intention was just... maybe not quite wise enough.
Most people seem to see "CVE" and "RCE" and assume the worst here. As you saw though, Notepad is just making totally valid URIs clickable! Web browsers allow it too - why is it not an RCE there? Sure, they usually show a warning when the URI is going to something external but most people just click through things like that anyway.
Thats not the case here.
Web browsers warn you about opening arbitrary protocols. And you have to select the program that will open it.
This Notepad vuln, allows you to click things like ssh://x....
> This Notepad vuln, allows you to click things like ssh://x....
Which just opens up SSH connecting to a server. Is that really RCE?
It'll also only work with URI schemes that are registered on your system. It's not running arbitrary commands - software you install on your PC registers URI schemes and sets what command it should run when opened. It's then up to that software to parse the URI and handle it properly. If it doesn't then the RCE belongs to them because they registered the URI scheme and failed to handle it securely. Having an allowlist of URI schemes in Notepad isn't going to fix it.
It doesn't only work with protocols registered by "your system" - Notepad doesn't register protocols. And Notepad is the user agent, here.
It works with your _locally_ registered protocols, not just the _remote_ protocols.
Which is why it works with JScript. And Powershell. And Visual Basic.
This is a bug that replicates why IE 4 was called insecure. Its not something that should ever surface again, today.
It is... The exact example of what an RCE is. _Local_ code executed by a _remote_ command.
1 reply →