1242012 - Thunderbird xss while opening mails by performing a search

Status: RESOLVED WORKSFORME

(Thunderbird :: Security, defect)

Description

[researchertriponoid]

Attachment: 2016-01-22_20-00-56.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160105164030

Steps to reproduce:

Simply, open Mozilla Thunderbird :
- Go to File > New > Message
- Go to Insert > HTML
- Paste the following html code and click Insert .
Code to paste : 
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)">
-Send mail to anyone using the thunderbird client
-Victim opens mail and keeps it open in the tab. 
-Victim performs a search and opens a mail containing HTML files.


Actual results:

When the victim opens the mail he will see empty iframe (or empty mail), but when victim keeps this mail open and performs a search to open a mail containing some HTML elements the payload will be activated. 

XSS javascript prompt comes with message /XSS by Researcher triponoid: triponoid.com/

See screenvideo for more details:
https://vid.me/Oeky



Expected results:

This should be filtered.

Comment 1

[Magnus Melin [:mkmelin]]

Haven't been able to reproduce this so far. 

Does the opened mail need to be special somehow?

Comment 2

[researchertriponoid]

(In reply to Magnus Melin from comment #1)
> Haven't been able to reproduce this so far. 
> 
> Does the opened mail need to be special somehow?

The thingy is there isn't any frequency in prompting the requested message. 

The opened mail that you'll need to keep open needs to contain the following html code:
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)">

Steps to reproduce:
- Go to File > New > Message
- Go to Insert > HTML
- Paste the following HTML code and click Insert:
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)">

-Send mail to anyone (in this case yourself) using the thunderbird client
-Open up this mail in thunderbird as a tab (by double-clicking the email, see video above)
-Perform a search and open up some emails (most effective with emails containing HTML elements)

Comment 3

[researchertriponoid]

More details about how to reproduce this:

You need to open Thunderbird and let it running for a while (in my test cases I let it run for at least 2 minutes or at least as long as the syncing of your mails is finished.)

Reproduce the exploit:
- Go to File > New > Message
- Go to Insert > HTML
- Paste the following HTML code and click Insert:
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)">
- Send it to any mail in your thunderbird client. (I've called it payload)
- Send the same mail again with steps above to the same address in my demo (I've called it payload activation.)
- Close your thunderbird client
- Reopen your thunderbird client and keep it running for at least 2 minutes without doing anything
- Open the mail that you've sent to yourself as a tab
- Search for a mail using thunderbird global search within this tab
- Open several mails containing HTML code or search for the mail that you've sent earlier to yourself called payload activation. 
- After some period an XSS should be displayed. 

On this test I was using Thunderbird client 38.5.1 on Windows 10.

A new video demonstrating this security issue:
https://vid.me/Vulk

Comment 4

[Daniel Veditz [:dveditz]]

Giving this a "web-security" keyword has hidden this from client triage.

Comment 5

[researchertriponoid]

This bug still occurs on the new version: 38.6.0

Comment 6

[Matt Wobensmith [:mwobensmith][:matt:]]

Now that we have more explicit steps in comment 3, can we investigate this further?

Comment 7

[Kent James (:rkent)]

Adding Jorgk to cc: to see if he has any interest in investigating this.

Comment 8

[Al Billings [:abillings - ex-MoCo]]

Did you mean to CC someone in comment 7, Kent?

Comment 9

[Kent James (:rkent)]

(In reply to Al Billings [:abillings] from comment #8)
> Did you mean to CC someone in comment 7, Kent?

Yes, he is mozilla@jorgk.com on the cc list.

Comment 10

[Daniel Veditz [:dveditz]]

I still can't reproduce.

researchertriponoid: Could you please open the Help menu and open the "Troubleshooting Information" item. You could either use the "Copy text to clipboard" button to grab it all and paste it in here, or if you're concerned about leaking your mail server name at least copy the Extensions and the following "Important Modified Preferences" sections and attach or paste them here. Sorry I don't know the Dutch translations but hopefully they will be obvious.

Comment 11

[researchertriponoid]

Here is the paste: (Sorry for the Dutch words, I've translated the topics you are looking for) 

  Toepassingsbasics

    Naam: Thunderbird
    Versie: 38.7.2
    Useragent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
    Profielmap: Map tonen

              (Lokaal station)
    Build-ID van de toepassing: 20160402193654
    Ingeschakelde plug-ins: about:plugins
    Buildconfiguratie: about:buildconfig
    Geheugengebruik: about:memory


  Crashrapporten
    http://crash-stats.mozilla.com/report/index/bp-185268ef-894f-4e07-936d-931b02160130 (30/01/2016)

  Extensies = (Extensions)
    Lightning, 4.0.7.2, true, {e2fda1a4-762b-4020-b5ad-a41df1933103}

  Belangrijke aangepaste voorkeuren = (Important Modified Preferences)

    Naam: Waarde = (Name: Value)

      browser.cache.disk.capacity: 358400
      browser.cache.disk.smart_size_cached_value: 358400
      browser.cache.disk.smart_size.first_run: false
      browser.cache.disk.smart_size.use_old_max: false
      extensions.lastAppVersion: 38.7.2
      font.internaluseonly.changed: false
      font.name.monospace.el: Consolas
      font.name.monospace.x-cyrillic: Consolas
      font.name.monospace.x-unicode: Consolas
      font.name.monospace.x-western: Consolas
      font.name.sans-serif.el: Calibri
      font.name.sans-serif.x-cyrillic: Calibri
      font.name.sans-serif.x-unicode: Calibri
      font.name.sans-serif.x-western: Calibri
      font.name.serif.el: Cambria
      font.name.serif.x-cyrillic: Cambria
      font.name.serif.x-unicode: Cambria
      font.name.serif.x-western: Cambria
      font.size.fixed.el: 14
      font.size.fixed.x-cyrillic: 14
      font.size.fixed.x-unicode: 14
      font.size.fixed.x-western: 14
      font.size.variable.el: 17
      font.size.variable.x-cyrillic: 17
      font.size.variable.x-unicode: 17
      font.size.variable.x-western: 17
      mail.openMessageBehavior.version: 1
      mail.winsearch.firstRunDone: true
      mailnews.database.global.datastore.id: 2fdbf653-bda3-4765-8f87-a3b25aba393
      mailnews.database.global.views.conversation.columns: {"threadCol":{"visible":true,"ordinal":"1"},"flaggedCol":{"visible":true,"ordinal":"3"},"attachmentCol":{"visible":false…
      network.cookie.prefsMigrated: true
      network.predictor.cleaned-up: true
      places.database.lastMaintenance: 1460498511
      places.history.expiration.transient_current_max_pages: 101907
      plugin.importedState: true

  Grafisch = (Graphics) 

      Adapterbeschrijving: Intel(R) HD Graphics
      Vendor-ID: 0x8086
      Device-ID: 0x0046
      Adapter-RAM: Unknown
      Adapterstuurprogramma’s: igdumd64 igd10umd64 igdumdx32 igd10umd32
      Stuurprogrammaversie: 8.15.10.2900
      Datum stuurprogramma: 11-26-2012
      Direct2D ingeschakeld: false
      DirectWrite ingeschakeld: false (10.0.10240.16430)
      ClearType-parameters: ClearType-parameters niet gevonden
      WebGL-renderer: false
      GPU-versnelde vensters: 0

      AzureCanvasBackend: skia
      AzureSkiaAccelerated: 0
      AzureFallbackCanvasBackend: cairo
      AzureContentBackend: cairo

  JavaScript

  Incrementele GC: 1

  Toegankelijkheid

    Geactiveerd: 0
    Toegankelijkheid voorkomen: 0

  Bibliotheekversies

      Verwachte minimale versie
      Gebruikte versie

      NSPR
      4.10.10
      4.10.10

      NSS
      3.19.2.3 Basic ECC
      3.19.2.3 Basic ECC

      NSS Util
      3.19.2.3
      3.19.2.3

      NSS SSL
      3.19.2.3 Basic ECC
      3.19.2.3 Basic ECC

      NSS S/MIME
      3.19.2.3 Basic ECC
      3.19.2.3 Basic ECC

Comment 12

[Daniel Veditz [:dveditz]]

There's nothing in your about:support that's significantly different from what I have that would affect this functionality. I have a couple of add-ons in addition to Lightning, but even with all of them disabled I still cannot reproduce what I see in the video.

Comment 13

[researchertriponoid]

Ok so I've copied both mail sources now.

This one is the payload:
<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <iframe
      style="position:absolute;top:0;left:0;width:100%;height:100%"
      onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)"><br>
    </iframe>
  </body>
</html>

and this one is the payload activation


<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <iframe
      style="position:absolute;top:0;left:0;width:100%;height:100%"
      onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)"><br>
    </iframe>
  </body>
</html>

So basically it's the same payload 2 times. 

If you are still not able to reproduce it I am allowing you to remote control my thunderbird/windows.

Comment 14

[Daniel Veditz [:dveditz]]

The bug bounty committee is going to minus this bug without a clear ability to reproduce. Please work with the community Thunderbird developers

ni?jorgk for comment 7

Comment 15

[Jorg K (CEST = GMT+2)]

I've looked at it briefly and don't think I have the right skill set, I'm sorry. Plus I was really busy with TB 45.0 and 45.1 releases and regressions.

Comment 16

[Daniel Veditz [:dveditz]]

Still can't reproduce with exactly the mails included in comment 13