RssReader remote code execution vulnerability

Google Reader is officially shutting down on 1 July 2013. Not everyone has jumped ship yet, so I wouldn't be surprised to see a lot of people suddenly looking for new ways to read their RSS feeds next week.

Summary: Don't install RssReader! It's the top result on Google for "rss reader", but it also lets remote attackers steal your files and run arbitrary code on your computer. 

Several years ago, I discovered a remote code execution vulnerability in RssReader, a free RSS reader for Windows. To my amazement, this vulnerability is still present today. Even worse, this software is still the first result when you do a Google search for rss reader. I think this may result in quite a few installations of this vulnerable software next week, after Google Reader shuts down for good.

The latest stable release offered on the RssReader website is 1.0.88.0. This version was originally released way back in 2004! Unfortunately, for the past nine years, this version has contained a remote code execution vulnerability which allows malicious feeds to run arbitrary code on a victim's computer, or access the victim's files without consent.

 
The RssReader website reports more than 4.1 million downloads, but the real number is likely to be much higher, as that count does not appear to have been updated for more than two years (according to the archived pages at archive.org). 

Vulnerability 1: Accessing local files with JavaScript

RssReader executes JavaScript in a context that permits access to local files through an XMLHttpRequest object.  An attacker can instantiate an XMLHttpRequest object within a malicious, remote RSS feed and then use it to read any readable file from a victim's computer. The contents of these files can then be transmitted to the remote attacker without the victim's consent or knowledge.

Vulnerability 2: Executing code on the victim's computer with VBScript

Unsurprisingly, RssReader also allows VBScript to be executed in a local context by its rendering engine. A remote attacker can instantiate a WScript.Shell object and use it to execute arbitrary code on the victim's computer. When I originally tested this on a fully-patched Windows XP machine with Internet Explorer 7, it was possible to execute programs merely by viewing a malicious RSS feed. On Windows 7 with IE 10, the user may have to click "Yes" to run the ActiveX control, depending on their security settings.

Proofs of concept

The following RSS document demonstrates how the file c:\windows\system32\drivers\etc\hosts can be accessed through a remote feed.

<rss version="2.0">
  <channel>
    <title>Title</title>
    <link>http://www.example.com/</link>
    <description>Description</description>
    <generator>highseverity.com</generator>
    <item>
        <title>Item Title</title>
        <link>http://www.example.com/</link>
        <description>
         <script>
var xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
xmlhttp.open("GET", "file:///c:/windows/system32/drivers/etc/hosts", true);
xmlhttp.onreadystatechange = function() {
    if (xmlhttp.readyState == 4) {
        alert(xmlhttp.responseText);
    }
}
xmlhttp.send(null);
         </script>
        </description>
        <author>highseverity.com</author>
    </item>
    </channel>
</rss>

When this feed is displayed within RssReader, the contents of the victim's hosts file will be displayed in a JavaScript alert dialog:

An attacker can also use the XMLHttpRequest object to send the contents of this file - plus other potentially sensitive files - to a remote web server. No user interaction is required, so a well-crafted attack is likely to go unnoticed by its victims.

Arbitrary programs can be executed on the victim's computer by creating a WScript.Shell object and calling its Run function. This can be demonstrated by creating a feed with the following script inside an RSS item:

<script language="VBScript">
<!--
    Set objShell = CreateObject("WScript.Shell")
    objShell.Run "calc.exe", 1, True
-->
</script>

When the victim views this feed, calc.exe will be executed:

As noted earlier, depending on the victim's operating system, browser version and security settings, this code execution vulnerability could also be exploited without requiring any user interaction, and a cleverly crafted attack is unlikely to be noticed by the victim.

Obviously, when a remote attacker is able to run arbitrary code on a victim's computer, it makes it a lot easier to gain unauthorised access to any of the victim's accounts on other sites and services, such as Facebook, Twitter, Gmail, Flickr, etc.

An attacker does not necessarily have to entice his victim into subscribing to a malicious feed; the vulnerability can also be exploited through a feed that the victim has already subscribed to, either by compromising the server hosting the feed, or by writing a specially-crafted blog post which is syndicated by other third-party feeds.

Mitigation

Unfortunately, RssReader does not appear to be maintained any more. The software has not been updated since 2004, the latest bugs listed on the website date from 2003, and emails to info@rssreader.com are being bounced. With that in mind, I'm surprised it's still the top result on Google for rss reader.

So for now, the only sensible thing to do is to avoid installing RssReader, and make sure everyone else avoids it, too!

It might appear reasonable and responsible for Google to place a warning in its search results, or perhaps even reduce its ranking in search results - particularly over the coming weeks.