Security Exploit Uses Internet Explorer to Attack Mozilla FirefoxWednesday July 11th, 2007Firefox_User sent us a link to a CNET News.com article about a security threat to Windows users with both Mozilla Firefox and Microsoft Internet Explorer installed. The issue can allow an attacker to remotely trick Firefox into executing potentially malicious code. However, a user has to be running Internet Explorer to actually get exploited. Security researcher Thor Larholm has published a description of how the security flaw works, including a proof-of-concept (though some have reported that they cannot get this to work). When installed on Windows, Firefox registers a URL protocol handler to handle firefoxurl:// URLs (this works much like a http:// or ftp:// URL protocol handler). If an IE user visits a webpage that tries to call a firefoxurl:// URL (for example, using an iframe), IE will launch Firefox with no further prompting, passing it the URL. Neither IE nor Firefox escape or sanitise the URL, which allows an attacker to inject additional parameters into the command line used to invoke Firefox. Used in combination with the -chrome parameter, the attacker can make Firefox execute dangerous JavaScript code. There's some debate as to where the blame lies — is it IE for passing untrusted data to another application or Firefox for not validating input properly? SecurityFocus refers to the problem as a Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection Vulnerability, placing the blame with Redmond, while Secunia calls it a Firefox "firefoxurl" URI Handler Registration Vulnerability, pointing the finger at Mozilla. News.com quotes Oliver Friedrichs of Symantec's Security Response Center, who says, "It's a little bit of both." On the official Mozilla Security Blog, the Mozilla Corporation's Window Synder (who used to work for Microsoft) says that a fix will be included in the forthcoming Firefox 2.0.0.5. That said, she seems to suggest that she considers this to be mostly a problem with IE, noting that Apple fixed a similar issue with Safari recently. However, according to the ZDNet Zero Day security weblog, Microsoft claims the firefoxurl:// bug "is not a vulnerability in a Microsoft product". On his weblog, Jesper Johansson (who also used to work for Microsoft), says the firefoxurl:// flaw is a Mozilla problem. He also provides instructions for unregistering the URL protocol handlers. Thanks to roseman for some of the links used in this report. NoScript users have been already protected both from MacManus/Larholm remote code execution and from Rios "Universal XSS" exploit since June, the 22th, see http://noscript.net/changelog#1.1.4.9.070622 More in general, they're protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm's PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios' "Universal XSS" PoC), no matter if attempted through the "firefoxurl:" handler (like in this specific case) or by other means we don't know yet (if any exists, we hope not!). Hence, these protective features are here to stay, since the upcoming Firefox 2.0.0.5 just fixes the "firefoxurl:"/command line case. Never heard of it before. Why do we need it? "Never heard of it before. Why do we need it?" Boris Zbarsky offers some insight at Slashdot: http://slashdot.org/comments.pl?sid=248291&cid=19822609 It seems that it's some sort of URL scheme auto-generated by Windows when Firefox sets itself up to handle http:// https://, ftp:// and gopher:// URLs. Alex It seems to be helpful or needed to make Firefox the default browser on Windows Vista. A patch at <https://bugzilla.mozilla.org/show_bug.cgi?id=354005> introduces the FirefoxURL registry key. NoScript users have been already protected both from MacManus/Larholm remote code execution and from Rios "Universal XSS" exploit since June, the 22th, see http://noscript.net/changelog#1.1.4.9.070622 More in general, they're protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm's PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios' "Universal XSS" PoC), no matter if attempted through the "firefoxurl:" handler (like in this specific case) or by other means we don't know yet (if any exists, we hope not!). Hence, these protective features are here to stay, since the upcoming Firefox 2.0.0.5 just fixes the "firefoxurl:"/command line case. I believe this is a mozilla problem. If IE does not know what to do with something and then passes it to Firefox to deal with then its not the job of IE to parse it as - by definition - it can't understand the data. It is firefox's job to read and parse the data before doing thigns with it. Never heard of this firefoxurl before, so Ithouoght I'd give it a try. So I tried browsing to a few web pages in IE, replaced the "http" with "firefoxurl" and whilst it appears to get passed to Firefox I then get a dialog from Firefox saying: External Protocol Request An external application must be launched to handle firefoxurl: links. Requested link: firefoxurl://news.bbc.co.uk Application Firefox ...blah blah security stuff... If I click Launch Application, I then get a new blank tab in my current firefox window, and the dialog reappears, and so on in a loop every time I click the Launch Application. (Firefox 2.0.0.4, Win XP SP2, IE7) #7 Re: Does Firefoxurl actually work properly for anyby Herohtar Wednesday July 11th, 2007 11:07 AM I get the same loop with Firefox 2.0.0.4... doesn't seem to be an exploit to me. if you wanna see some more discussion on same topic: InformationWeek: http://www.informationweek.com/windows/showArticle.jhtml?articleID=201000765&articleID=201000765 The Register: http://www.theregister.co.uk/2007/07/11/ie_firefox_vuln/ ComputerWorld: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026798 eWeek: http://www.eweek.com/article2/0,1895,2156543,00.asp again, these are just more article links to the "discussion" of this issue. i kinda like the register's toungue-in-cheek writing style. "...The saying about success having many parents but failure being an orphan seems fitting here.." :) Using ZIP releases there is no installer that can install these kind of backdoors. This is one more reason that I will only install and use software that does not require an installer. but ... oh ... I forgot ... mozilla.com abandoned zip releases ... TIP: Install software in a virtual machine, zip up the program directory and unzip on your real machine. And be happy. :) You can use InstallWatch to find out if any important registry entries have been made. 99% of the registry entries made by installers are NOT needed. A relationship always needs at least two entities. If one of the entities is pointing the finger at the other entity, then this just means, that it does reject its share of responsibility. I don't wanna get into who is right or wrong. But ... The firefox installer creates a registry entry for "firefoxurl:"; a url handler; basic windows functionality. And by creating that registry entry other applications in windows can use that handler; not just ie but any app. So firefox is opening itself up for problems ... Yes, but it doesnt change my point. Whenever an interaction happens, its "success" depends on "if and what is given" (entity A) and "if and how it is received" (Entity B). No matter how creative people get in argumenting, nothing will change this universal law (which by the way is part of the foundation of logic itself). Whenever another app uses this firefox-handler, what happened was only made possible by: 1. Firefox creating this handler and accepting input from it - but not validating the input properly. 2. Another app using this handler without properly validating the user input. Both sides made it possible. Any of the two sides could stop this problem. And in an ideal world, BOTH sides should stop this from happening. When a problem like this arises, then there are already "two mistakes" in place, since as i said.... it takes two for an interaction to succeed. - Lyx #2 is exactly your error in thinking. The app using the handler just passes the data to the handler. The handler needs to verify the input. The app using the handler does NOT know the rules for validating the data; the handler DOES. Think about "bash": "bash" can not validate the command line parameters you pass on to "ls". "bash" does not know that "-al" means "long listing all files"; "ls" does know. So "ls" needs to validate the input for correctness. Not "bash"; it can not. Are you saying that "bash" should have knowledge about all unix commands so that it can validate the command line parameters for correctness. No way. :) So if firefox changes the validation rules then you need to change the app using the firefox handler also. It does not work that way. As I said in a post further up, url handlers can be used by any app. Not just ie. it is called "firefoxurl", so it clearly expects an URL as input. You are basically saying, that there is nothing wrong with passing invalid datatypes to a handler. Or in other words: "I am not responsible for what i forward.... its all the receivers fault.". You are basically saying that IE is not responsible for what it forwards. Its like saying "if i exploit someone, then only the other person is at fault, because it allowed it." - Meh, even thinking about how corrupt this one-sided style of thinking is, gives me the urge of hitting someone with a blunt object. - Lyx One more time .... So if mozilla decides to enhance the functionality of the "firefoxurl:" handler (additional parameters in the url for example), you expect IE to make the same enhancements on their side. It doesn't work that way. "... gives me the urge of hitting someone with a blunt object." - please watch your language and keep it nice. Please read Jesper's blog regarding this; he explains it better than I can: http://msinfluentials.com/blogs/jesper/archive/2007/07/10/blocking-the-firefox-gt-ie-0-day.aspx "Likewise, IE has no knowledge of what Firefox considers a valid URL and will simply pass on what it gets. Firefox needs to validate that it is not doing something untoward with that input. There is nothing in the protocol handler that informs IE how to perform input validation." Get it??? Maybe I invoke the "firefoxurl:" handler from my own app and pass it some bad, bad input data. no IE involved here .... It is always the receiver's responsibility to check its input, no matter what fancy checks the sender may have done. You do not rely on the sender havig done any kind of checking. Same for cgi scripts; you never ever assume that your cgi script is only called from your webpage which has fancy javascript input checking. There are many other ways to call cgi scripts. So the cgi script always needs to check its input data ... I give up ... if you don't understand ... No, IE doesn't have to make "the same enhancements on their side." All they need to do is properly escape quotes when passing parameters off to a URL handler. They need to do that no matter what URL handler they pass the arguments to. No special consideration need be made for the specific firefoxurl: handler. IE *does* have knowledge of what Firefox considers a valid URL; the definition of a valid URL is contained in the applicable RFC. And there aren't any reasonable steps Firefox could take to validate the input data in this scenario. Firefox is being launched by a command line, it has no way to tell that the command line is being generated by IE and not by the user. (Oh, there are ways of working around the problem - I'm still waiting to see which one they chose - but none of them are reasonable absent the knowledge that it is going to be passed illegal URLs.) If you want to compare it to ls, let's say I write an application that uses ls to get a directory listing. If I want the directory listing of a folder named 'my " -al " folder', and I pass it on to ls like that: ls "my " -al " folder" Are you saying ls should be able to parse that and know what I meant? No, of course not, it can't. It can't read (my program's) mind. I should escape the quotes. _Exactly_ the same happens here. Internet Explorer forgets to escape the quotes, and Firefox has no way to know what Internet Explorer meant. It just knows what Internet Explorer sent. This is like an SQL Injection indeed, just like an SQL Injection there are three parties: the untrusted one, the proxy that handles the data, and the recipient that blindly executes what the proxy asks. You can't blame the MySQL server for an SQL Injection, the PHP script should sanitize the untrusted input. Similarly, you can't blame Firefox for this one, Internet Explorer should sanitize the untrusted input. And my last remark is that Firefox is not the only attack victim here, any software that implements a standard (non-DDE) protocol handler is harmed by this Internet Explorer vulnerability. How does IE know how to sanitize what your passing to the handler?? "There is nothing in the protocol handler that informs IE how to perform input validation." Read the following comment copied from another thread: ----------------------------------------------------------------- Useless to blame anyone by Kurtis Wednesday July 18th, 2007 5:48 PM Reply to this message As I stated in the other topic, I launched the proof of concept from SeaMonkey, a fellow Gecko application, not Internet Explorer. I don't see why IE should be blamed when it's not the only one that is vulnerable of executing the exploit. In any case, it's just good that it's fixed now. I don't really care who is at fault, just that there's an official fix for the problem. ----------------------------------------------------------------- Exactly what I have been saying all the time: protocol handlers can be and are called from any application. Additional article on "fixing" this interaction between msie-&-ff: http://www.eweek.com/article2/0,1895,2157333,00.asp
IE has a long history of problems with "URL protocol" handlers: http://www.securityfocus.com/archive/1/370959 http://www.securityfocus.com/archive/1/371061 http://lists.grok.org.uk/pipermail/full-disclosure/2004-August/024833.html because it passes around untrusted data. (How did MS people ever think that enclosing in quotes, then re-parsing the string, was safe?) So we know this is a "brain-dead" feature. Maybe Mozilla should handle the nonsense that Windows can throw at it. Or better, do not use such features: do not register any URL protocols. Two key issues: 1. Merely having both IE and Firefox on the same computer is not a problem. The vulnerability occurs only when browsing with IE and then only if the user selects a link that begins firefoxurl:// instead of http://, https://, etc. Thus, if you browse only with Firefox (or another Gecko application), the problem does not occur. (I use IE only to get the too frequent Windows patches and occasionally to check how my own Web pages appear with a non-Gecko browser.) 2. It appears that SeaMonkey (the browser I use) does not register a firefoxurl protocol. The string "firefox" does not appear in my WindowsXP registry. What we have not yet seen here is an explanation of the purpose of the firefoxurl protocol. If it has no purpose (thus answering why there is no explanation) or it was never completely implemented, it should be removed. i am asking (not saying, just asking), is the firefoxurl protocol how you make sure that a particular browser is used to get to a specific url? if so, that would explain why even though FF is my default browser, on rare occasion some link in a (trusted, of course) e-mail (or perhaps web page) might try to force IE to open instead? i only use IE for windows-update, or ms-update, whatever it is called, only to get monthly patches. i am bothered when IE opens instead of FF (rare as that is); wonder if this mechanism is how that occurs (obviously in reverse for the case i described). can a webpage link demand it be opened with FF? maybe this is how it is done? anyone know? am i making any sense??
I used SeaMonkey to launch the proof of concept, and it worked perfectly as intended, so I'd revise saying that it doesn't work from other Gecko applications if I were you. Simply delete the following registry keys AFTER installing to disable this "protocol". Because, who would want to launch one browser from within another anyway? Enjoy. Be sure to backup your registry before modifying if you have fat fingers like me:) [HKEY_CLASSES_ROOT\FirefoxURL] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirefoxURL] [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\URLAssociations] ummm, after unregistering protocols, it seems as if ms-LookOut showing an e-mail with a link in it now refuses to open the link. maybe that is why, so ms-LookOut can call msie which then farms out to the default browser, maybe? ok, i admit it. i am still confusated. Thanks for the good article, but it is totally useless to blame IE. Of course IE should check the URL (if they can), but Firefox can not trust IE to do that, or? see: http://www.mozillazine.org/talkback.html?article=22211 FF-2.0.0.5 now available, which fixes this. I think there are a lot of Bugs in the new Mozilla Grand Paradiso Now the mozilla g.p seems to be perfect! http://www.luxus-body.de http://www.harro-shop.de http://ipsoo.de/ed-hardy-christian-audigier-und-sportnahrung-347.html http://www.blogglob.de/EdHardy24/ http://donedhardy24.manicfish.com http://my.opera.com/Sportern%C3%A4hrung/blog/show.dml/1853178 http://edhardy-christianaudigier.blogspot.com/ http://ed-hardy-christian-audigier-und-sportlernahrung.lifetype.at/ http://donedhardy2.beeplog.de/ http://donedhardy.123log.de/ http://www.flickr.com/groups/710338@N23/ http://www.flickr.com/people/24962050@N04/ http://www.maklerverzeichnis.com http://www.ranking-charts.at http://donedhardy2.20six.de/ http://donedhardy.blogianer.de/ http://edhardy24.pblog.de/ http://www.tell-it.net/ed-hardy-christian-audigier http://edhardy248.blogster.de/ http://blogya.de/edhardy24/ http://edhardy24.twoday.net/ http://www.blogy.de/edhard24/ http://ipsoo.de/ed-hardy-christian-audigier-und-sportnahrung-347.html http://www.blogglob.de/EdHardy24/ http://donedhardy24.manicfish.com/ http://www.sevenblogs.de/blog/933 http://my.opera.com/Sporternährung/blog/show.dml/1853178 http://edhardy-christianaudigier.blogspot.com/ http://ed-hardy-christian-audigier-und-sportlernahrung.lifetype.at/ http://donedhardy2.beeplog.de/ http://donedhardy.123log.de/ http://www.flickr.com/photos/24962050@N04/ http://www.flickr.com/groups/710338@N23/ http://www.flickr.com/people/24962050@N04/ Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy Ed Hardy http://www.ed-hardy24.de/christian-audigier.htm http://www.ed-hardy24.de/ed-hardy-erfolgsgeschichte.htm Ed Hardy http://0am.de/artikel/klamotten-und-kleidungsstuecke-von-ed-hardy-a5493.html http://www.kosnix.de http://www.compu-zone.de http://www.dslhilfen.de http://www.filipos.de http://www.filipos.de/ed-hardy/ http://www.schwule-gays.net wtf? http://flashgeek.de/ http://edhardy2.blogger.de/ http://edhardy2.blogspot.com/ http://edhardy2.blog.de/ http://edhardy2.mindsay.com/ http://edhardy2.beeplog.de/ http://www.blogigo.de/Ed_Hardy_Caps http://www.soulcast.com/post/show/126440/Blog-%C3%BCber-Ed-Hardy http://20six.co.uk/edhardy2/ http://edhardy2.vox.com/library/post/stronged-hardy---das-label.html http://edhardy2.kulando.de/ http://edhardy2.blogster.com/ed-hardy-infos http://edhardy2.blogsome.com/ http://edhardy2.acc.de/Ed_Hardy_Seite/ http://edhardy2.sampasite.com/ http://www.tell-it.net/ed-hardy-mode http://edhardy2.twoday.net/ http://www.blogglob.de/edhardy2/ http://edhardy2.123log.de/ http://www.sevenblogs.de/blog/1008 http://my.opera.com/edhardy2/about/ http://www.speed-trade.de/Ed-Hardy:::42.html http://www.pattern-crochet.com http://www.loco-outlet.de http://www.loco-outlet.de/index.php?cat=c68_CLEARANCE-SALE.html Thank you for this great post..wow... ed hardy http://www.brandlots.de Seven Jeans, True Religion, citizens of humanity, Ed hardy jetzt guenstig bei http://www.jeans-kult.de Grosse Auswahl an Seven Jeans <a href="http://fun.bwabty.com">اغانى</a> <a href="http://pro.bwabty.com">برامج</a> <a href="http://hawaa.bwabty.com">المرأة</a> <a href="http://www.melodawy.net/">العاب غريبه</a> <a href="http://www.mazika.in/">العاب دماء< <a href="http://www.aflmnat.com/">العاب طاوله< <a href="http://www.aflmnat.com">فيديو</a> <a href="http://mazika.in/cat16">اغانى شعبي</a> <a href="http://www.sotelarab.com">أخبار</a> <a href="http://fun.bwabty.com/cat1-1.html">برامج</a> <a href="http://fun.bwabty.com/games.html">العاب فلاش</a> <a href="http://fun.bwabty.com/cat1-1.html">اغانى</a> <a href="http://fun.bwabty.com/cat2-1.html">دليل مواقع</a> <a href="http://fun.bwabty.com/cat3-1.html">العاب</a> <a href="http://fun.bwabty.com/cat4-1.html">العاب اكشن</a> <a href="http://fun.bwabty.com/cat5-1.html">العاب اضافه</a> <a href="http://hawaa.bwabty.com">حواء</a> <a href="http://fun.bwabty.com/cat6-1.html">العاب مغامرات</a> <a href="http://fun.bwabty.com/cat7-1.html">العاب دعائيه</a> <a href="http://fun.bwabty.com/cat8-1.html">العاب طائرات</a> <a href="http://fun.bwabty.com/cat9-1.html">العاب القاعده</a> <a href="http://fun.bwabty.com/cat10-1.html">العاب خيال</a> <a href="http://fun.bwabty.com/cat11-1.html">العاب حيوانات</a> <a href="http://fun.bwabty.com/cat12-1.html">العاب نمل</a> <a href="http://fun.bwabty.com/cat13-1.html">العاب ممرات</a> <a href="http://fun.bwabty.com/cat14-1.html">العاب اركانويد</a> <a href="http://mazika.in/cat16">اغانى شعبى</a> <a href="http://fun.bwabty.com/cat15-1.html">العاب حربيه</a> <a href="http://fun.bwabty.com/cat16-1.html">العاب كواكب</a> <a href="http://fun.bwabty.com/cat17-1.html">العاب شنط</a> <a href="http://fun.bwabty.com/cat18-1.html">العاب توازن</a> <a href="http://fun.bwabty.com/cat19-1.html">العاب اتزان</a> <a href="http://fun.bwabty.com/cat20-1.html">العاب كره</a> <a href="http://fun.bwabty.com/cat21-1.html">العاب بالونات</a> <a href="http://fun.bwabty.com/cat22-1.html">العاب موز</a> <a href="http://fun.bwabty.com/cat23-1.html">العاب بيسبول</a> <a href="http://fun.bwabty.com/cat24-1.html">العاب كره سله</a> <a href="http://fun.bwabty.com/cat25-1.html">العاب دببه</a> <a href="http://fun.bwabty.com/cat26-1.html">العاب وحوش</a> <a href="http://fun.bwabty.com/cat27-1.html">العاب قتال</a> <a href="http://fun.bwabty.com/cat28-1.html">العاب نحل</a> <a href="http://fun.bwabty.com/cat29-1.html">العاب بيره</a> <a href="http://fun.bwabty.com/cat30-1.html">العاب رهان</a> <a href="http://fun.bwabty.com/cat31-1.html">العاب دراجات</a> <a href="http://fun.bwabty.com/cat32-1.html">العاب بلياردو</a> <a href="http://fun.bwabty.com/cat33-1.html">العاب بن لادن</a> <a href="http://fun.bwabty.com/cat34-1.html">العاب طيور</a> <a href="http://fun.bwabty.com/cat39-1.html">العاب قنابل</a> <a href="http://fun.bwabty.com/cat40-1.html">العاب رجل القنابل</a> <a href="http://fun.bwabty.com/cat41-1.html">العاب تنطيط</a> <a href="http://fun.bwabty.com/cat42-1.html">العاب القوس</a> <a href="http://fun.bwabty.com/cat43-1.html">العاب بولينغ</a> <a href="http://fun.bwabty.com/cat44-1.html">العاب الملاكمه</a> <a href="http://fun.bwabty.com/cat45-1.html">العاب اولاد</a> <a href="http://fun.bwabty.com/cat46-1.html">العاب الطوب</a> <a href="http://fun.bwabty.com/cat47-1.html">العاب الكباري</a> <a href="http://fun.bwabty.com/cat48-1.html">العاب الفقاعات</a> <a href="http://fun.bwabty.com/cat49-1.html">العاب سيارات القنابل</a> <a href="http://fun.bwabty.com/cat50-1.html">العاب الارانب</a> <a href="http://fun.bwabty.com/cat51-1.html">العاب هامبرجر</a> <a href="http://fun.bwabty.com/cat52-1.html">العاب مدافع</a> <a href="http://fun.bwabty.com/cat53-1.html">العاب سيارات</a> <a href="http://fun.bwabty.com/cat54-1.html">العاب بطاقات</a> <a href="http://fun.bwabty.com/cat55-1.html">العاب كازينو</a> <a href="http://fun.bwabty.com/cat56-1.html">العاب القلعه</a> <a href="http://fun.bwabty.com/cat57-1.html">العاب القطط</a> <a href="http://fun.bwabty.com/cat58-1.html">العاب مطاردات</a> <a href="http://fun.bwabty.com/cat59-1.html">العاب شطرنج</a> <a href="http://fun.bwabty.com/cat60-1.html">العاب دجاج</a> <a href="http://fun.bwabty.com/cat61-1.html">العاب الكريسماس</a> <a href="http://fun.bwabty.com/cat62-1.html">العاب السيرك</a> <a href="http://fun.bwabty.com/cat63-1.html">العاب كلاي</a> <a href="http://fun.bwabty.com/cat64-1.html">العاب المهرج</a> <a href="http://fun.bwabty.com/cat65-1.html">العاب تجميع</a> <a href="http://fun.bwabty.com/cat66-1.html">العاب تلوين</a> <a href="http://fun.bwabty.com/cat67-1.html">العاب طبخ</a> <a href="http://fun.bwabty.com/cat68-1.html">العاب رعاه البقر</a> <a href="http://fun.bwabty.com/cat69-1.html">العاب رمي</a> <a href="http://fun.bwabty.com/cat70-1.html">العاب رقص</a> <a href="http://fun.bwabty.com/cat71-1.html">العاب نبله</a> <a href="http://fun.bwabty.com/cat72-1.html">العاب ديكور</a> <a href="http://fun.bwabty.com/cat73-1.html">العاب دفاع</a> <a href="http://fun.bwabty.com/cat74-1.html">العاب دفاعيه</a> <a href="http://fun.bwabty.com/cat75-1.html">العاب تحرى</a> <a href="http://fun.bwabty.com/cat76-1.html">العاب النرد</a> <a href="http://fun.bwabty.com/cat77-1.html">العاب ديناصورات</a> <a href="http://fun.bwabty.com/cat78-1.html">العاب كلاب</a> <a href="http://fun.bwabty.com/cat79-1.html">العاب الدومينو</a> <a href="http://fun.bwabty.com/cat80-1.html">العاب تنانين</a> <a href="http://fun.bwabty.com/cat81-1.html">العاب رسم</a> <a href="http://fun.bwabty.com/cat82-1.html">العاب تلبيس</a> <a href="http://fun.bwabty.com/cat83-1.html">العاب قياده</a> <a href="http://fun.bwabty.com/cat84-1.html">العاب طبول</a> <a href="http://fun.bwabty.com/cat85-1.html">العاب شرب الخمور</a> <a href="http://fun.bwabty.com/cat86-1.html">العاب الاقزام</a> <a href="http://fun.bwabty.com/cat87-1.html">العاب تعليميه</a> <a href="http://fun.bwabty.com/cat88-1.html">العاب مصريه</a> <a href="http://fun.bwabty.com/cat89-1.html">العاب هروب</a> <a href="http://fun.bwabty.com/cat90-1.html">العاب تهرب</a> <a href="http://fun.bwabty.com/cat91-1.html">العاب المصانع</a> <a href="http://fun.bwabty.com/cat92-1.html">العاب الجن</a> <a href="http://fun.bwabty.com/cat93-1.html">العاب الخيال</a> <a href="http://fun.bwabty.com/cat94-1.html">العاب المزارع</a> <a href="http://fun.bwabty.com/cat95-1.html">العاب قتال</a> <a href="http://fun.bwabty.com/cat96-1.html">العاب نيران</a> <a href="http://fun.bwabty.com/cat97-1.html">العاب العاب ناريه</a> <a href="http://fun.bwabty.com/cat98-1.html">العاب الرمايه بالاسلحه</a> <a href="http://fun.bwabty.com/cat99-1.html">العاب اسماك</a> <a href="http://fun.bwabty.com/cat100-1.html">العاب صيد</a> <a href="http://fun.bwabty.com/cat101-1.html">العاب فلاش</a> <a href="http://fun.bwabty.com/cat102-1.html">العاب ورود</a> <a href="http://fun.bwabty.com/cat103-1.html">العاب طيران</a> <a href="http://fun.bwabty.com/cat104-1.html">العاب طعام</a> <a href="http://fun.bwabty.com/cat105-1.html">العاب مطاعم</a> <a href="http://fun.bwabty.com/cat106-1.html">العاب كره قدم</a> <a href="http://fun.bwabty.com/cat107-1.html">العاب ضفادع</a> <a href="http://fun.bwabty.com/cat108-1.html">العاب فواكه</a> <a href="http://fun.bwabty.com/cat109-1.html">العاب مرحه</a> <a href="http://fun.bwabty.com/cat110-1.html">العاب خفيفه</a> <a href="http://fun.bwabty.com/cat111-1.html">العاب ادوات</a> <a href="http://fun.bwabty.com/cat112-1.html">العاب اشباح</a> <a href="http://fun.bwabty.com/cat113-1.html">العاب بنات</a> <a href="http://fun.bwabty.com/cat114-1.html">العاب ذهب</a> <a href="http://fun.bwabty.com/cat115-1.html">العاب جولف</a> <a href="http://fun.bwabty.com/cat116-1.html">العاب قتل</a> <a href="http://fun.bwabty.com/cat117-1.html">العاب غوريلا</a> <a href="http://fun.bwabty.com/cat118-1.html">العاب قبور</a> <a href="http://fun.bwabty.com/cat119-1.html">العاب تجهيز</a> <a href="http://fun.bwabty.com/cat120-1.html">العاب تخمين</a> <a href="http://fun.bwabty.com/cat121-1.html">العاب لبان</a> <a href="http://fun.bwabty.com/cat122-1.html">العاب مسدسات</a> <a href="http://fun.bwabty.com/cat123-1.html">العاب تسخين</a> <a href="http://fun.bwabty.com/cat124-1.html">العاب هليكوبتر</a> <a href="http://fun.bwabty.com/cat125-1.html">العاب هوكي</a> <a href="http://fun.bwabty.com/cat126-1.html">العاب المنزل</a> <a href="http://fun.bwabty.com/cat127-1.html">العاب ثلجيه</a> <a href="http://fun.bwabty.com/cat128-1.html">العاب قصص تفاعليه</a> <a href="http://fun.bwabty.com/cat129-1.html">العاب الجزيره</a> <a href="http://fun.bwabty.com/cat130-1.html">العاب جافا</a> <a href="http://fun.bwabty.com/cat131-1.html">العاب قتال خارق</a> <a href="http://fun.bwabty.com/cat132-1.html">العاب مجوهرات</a> <a href="http://fun.bwabty.com/cat133-1.html">العاب منشار التخريم</a> <a href="http://fun.bwabty.com/cat134-1.html">العاب قفز</a> <a href="http://fun.bwabty.com/cat135-1.html">العاب الغابه</a> <a href="http://fun.bwabty.com/cat136-1.html">العاب اطفال</a> <a href="http://fun.bwabty.com/cat137-1.html">العاب قتل</a> <a href="http://fun.bwabty.com/cat138-1.html">العاب قطط</a> <a href="http://fun.bwabty.com/cat139-1.html">العاب الفرسان</a> <a href="http://fun.bwabty.com/cat140-1.html">العاب كنج فو</a> <a href="http://fun.bwabty.com/cat141-1.html">العاب اليرانب القطبية</a> <a href="http://fun.bwabty.com/cat142-1.html">العاب حروف</a> <a href="http://fun.bwabty.com/cat143-1.html">العاب الضوء</a> <a href="http://fun.bwabty.com/cat144-1.html">العاب الحب</a> <a href="http://fun.bwabty.com/cat145-1.html">العاب ماكينات</a> <a href="http://fun.bwabty.com/cat146-1.html">العاب سحريه</a> <a href="http://fun.bwabty.com/cat147-1.html">العاب اداره</a> <a href="http://fun.bwabty.com/cat148-1.html">العاب ماريو</a> <a href="http://fun.bwabty.com/cat149-1.html">العاب اختيار</a> <a href="http://fun.bwabty.com/cat150-1.html">العاب رياضيات</a> <a href="http://fun.bwabty.com/cat151-1.html">العاب متاهات</a> <a href="http://fun.bwabty.com/cat152-1.html">العاب القرون الوسطى</a> <a href="http://fun.bwabty.com/cat153-1.html">العاب الذاكره</a> <a href="http://fun.bwabty.com/cat154-1.html">العاب تعدين</a> <a href="http://fun.bwabty.com/cat155-1.html">العاب اموال</a> <a href="http://fun.bwabty.com/cat156-1.html">العاب قرود</a> <a href="http://fun.bwabty.com/cat157-1.html">العاب وحوش</a> <a href="http://fun.bwabty.com/cat158-1.html">العاب القمر</a> <a href="http://fun.bwabty.com/cat159-1.html">العاب دراجات ناريه</a> <a href="http://fun.bwabty.com/cat160-1.html">العاب مهارات ماوس</a> <a href="http://fun.bwabty.com/cat161-1.html">العاب افلام</a> <a href="http://fun.bwabty.com/cat162-1.html">العاب زوجيه</a> <a href="http://fun.bwabty.com/cat163-1.html">العاب مضاعفة</a> <a href="http://fun.bwabty.com/cat164-1.html">العاب موسيقى</a> <a href="http://fun.bwabty.com/cat165-1.html">العاب مسخ</a> <a href="http://fun.bwabty.com/cat166-1.html">العاب نينجا</a> <a href="http://fun.bwabty.com/cat167-1.html">العاب ارقام</a> <a href="http://fun.bwabty.com/cat168-1.html">العاب عقبات</a> <a href="http://fun.bwabty.com/cat169-1.html">العاب اجرام سماويه</a> <a href="http://fun.bwabty.com/cat170-1.html">العاب باندا</a> <a href="http://fun.bwabty.com/cat171-1.html">العاب ركن السيارات</a> <a href="http://fun.bwabty.com/cat172-1.html">العاب باروديا</a> <a href="http://fun.bwabty.com/cat173-1.html">العاب بطاريق</a> <a href="http://fun.bwabty.com/cat174-1.html">العاب فرعونيه</a> <a href="http://fun.bwabty.com/cat175-1.html">العاب حبوب</a> <a href="http://fun.bwabty.com/cat176-1.html">العاب الكرة والدبابيس</a> <a href="http://fun.bwabty.com/cat177-1.html">العاب انابيب</a> <a href="http://fun.bwabty.com/cat178-1.html">العاب كواكب</a> <a href="http://fun.bwabty.com/cat179-1.html">العاب نباتات</a> <a href="http://fun.bwabty.com/cat180-1.html">العاب الأرصفة</a> <a href="http://fun.bwabty.com/cat181-1.html">العاب الالهه</a> <a href="http://fun.bwabty.com/cat182-1.html">العاب سباكه</a> <a href="http://fun.bwabty.com/cat183-1.html">العاب بوكر</a> <a href="http://fun.bwabty.com/cat184-1.html">العاب برك</a> <a href="http://fun.bwabty.com/cat185-1.html">العاب السجن</a> <a href="http://fun.bwabty.com/cat186-1.html">العاب عقاب</a> <a href="http://fun.bwabty.com/cat187-1.html">العاب دمية</a> <a href="http://fun.bwabty.com/cat188-1.html">العاب جرو</a> <a href="http://fun.bwabty.com/cat189-1.html">العاب شراء معدات التحديث</a> <a href="http://fun.bwabty.com/cat190-1.html">العاب بازل</a> <a href="http://fun.bwabty.com/cat191-1.html">العاب ساحة الكلية</a> <a href="http://fun.bwabty.com/cat192-1.html">العاب ذكاء</a> <a href="http://fun.bwabty.com/cat193-1.html">العاب ارانب</a> <a href="http://fun.bwabty.com/cat194-1.html">العاب سباق</a> <a href="http://fun.bwabty.com/cat195-1.html">العاب العقارات</a> <a href="http://fun.bwabty.com/cat196-1.html">العاب الوقت الحقيقي</a> <a href="http://fun.bwabty.com/cat197-1.html">العاب انعكاس</a> <a href="http://fun.bwabty.com/cat198-1.html">العاب استرخاء</a> <a href="http://fun.bwabty.com/cat199-1.html">العاب انقاذ</a> <a href="http://fun.bwabty.com/cat200-1.html">العاب روبوتس</a> <a href="http://fun.bwabty.com/cat201-1.html">العاب صواريخ</a> <a href="http://fun.bwabty.com/cat202-1.html">العاب صخور</a> <a href="http://fun.bwabty.com/cat203-1.html">العاب التمثيل</a> <a href="http://fun.bwabty.com/cat204-1.html">العاب التزحلق</a> <a href="http://fun.bwabty.com/cat205-1.html">العاب رومانسيه</a> <a href="http://fun.bwabty.com/cat206-1.html">العاب الغرف</a> <a href="http://fun.bwabty.com/cat207-1.html">العاب الروليت</a> <a href="http://fun.bwabty.com/cat208-1.html">العاب الجري</a> <a href="http://fun.bwabty.com/cat209-1.html">العاب امان</a> <a href="http://fun.bwabty.com/cat210-1.html">العاب ساموراي</a> <a href="http://fun.bwabty.com/cat211-1.html">العاب الشيطان</a> <a href="http://fun.bwabty.com/cat212-1.html">العاب مخيفه</a> <a href="http://fun.bwabty.com/cat213-1.html">العاب المدرسه</a> <a href="http://fun.bwabty.com/cat214-1.html">العاب الغطس</a> <a href="http://fun.bwabty.com/cat215-1.html">العاب البحث والتدمير</a> <a href="http://fun.bwabty.com/cat216-1.html">العاب اغراء</a> <a href="http://fun.bwabty.com/cat217-1.html">العاب متسلسله</a> <a href="http://fun.bwabty.com/cat218-1.html">العاب اسماك القرش</a> <a href="http://fun.bwabty.com/cat219-1.html">العاب زلازل</a> <a href="http://fun.bwabty.com/cat220-1.html">العاب تبادل طلق ناري</a> <a href="http://fun.bwabty.com/cat221-1.html">العاب رمايه بالسلاح</a> <a href="http://fun.bwabty.com/cat222-1.html">العاب بندقيه التصويب</a> <a href="http://fun.bwabty.com/cat223-1.html">العاب تحريك جانبي</a> <a href="http://fun.bwabty.com/cat224-1.html">العاب محاكاه</a> <a href="http://fun.bwabty.com/cat225-1.html">العاب لوح التزحلق</a> <a href="http://fun.bwabty.com/cat226-1.html">العاب تزحلق</a> <a href="http://fun.bwabty.com/cat227-1.html">العاب جماجم</a> <a href="http://fun.bwabty.com/cat228-1.html">العاب تحطيم</a> <a href="http://fun.bwabty.com/cat229-1.html">العاب ابتسامات</a> <a href="http://fun.bwabty.com/cat230-1.html">العاب ثعابين</a> <a href="http://fun.bwabty.com/cat231-1.html">العاب قنص</a> http://www.usenetprovidervergleich.de/ oder http://www.mp3-musik-download.net ist immer einen besuch wert ;) http://de.encarta.msn.com/encnet/refpages/search.aspx?q=solarmodule+suninteractiv http://www.usenet-trick.de/usenext.html |