Closed
Bug 305488
Opened 19 years ago
Closed 19 years ago
specific security issue with user profiles - easy exploit
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: powers.jason, Assigned: dveditz)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: http://download.mozilla.org/?product=thunderbird-1.0.6&os=win&lang=en-US I bet I'm not the first to find this, but it's a pretty big hole and I'm maybe not searching the archive right, I dug around a bit and saw nothing, so I'm going to file it to you anyway to make sure. It is not my intention to waste your time with this, but I am marking it a Security Issue below. I have a 150 PC LAN, Win2k Pro, users are all User accounts, not Power Users (they have no access to anything, really). The machines all run Thunderbird for their email client. The server's Cyrus-Imap with TLS, no nested folders. The users tend to save their passwords so that they can log into their windows account, open thunderbird and the email pops up without them typing their passwords again. Thunderbird Profiles are saved in the default location: Documents and Settings/username/Applicaiton Data/Mozilla Thunderbird. We had a user go out on unannounced sabbatical, which is a rare thing here, then he went AWOL. He is the only person who recieves time-sensitive emails on a certain subject, so I was asked to give his email to his supervisor. I can't do this on the server anymore, it's locked down now, so: Grasping at straws, I logged into the machine as Administrator and copied the user's entire Documents and Settings/username/Applicaiton Data/Mozilla Thunderbird/... directory over the Administrator's same directory, then opened Thunderbird as the Administrator... it loaded his mail! All of it. I got all of his local and remote folders, Inbox, I can send and recieve, etc. This is what I needed in this circumstance so I'm happy, but it occurs to me that if other organizations are set up this way than it would be easy to run an Outlook-style exploit on the network: typical SMB worm through windows shares, copies all of these profiles into Admin, runs thunderbird to check their mail, farms all of the email addys, uses the machine as a spambox. I understand this 'security hole' has more to do with Windows' retardation than your program, however I put this bug report here because it would be easier for you to protect users against it than MS. As part of the encoded data in the profile, include the present full folder location (C:\Documents and Settings\username\Application Data\Mozilla Thunderbird\etc.etc.etc.), then 'lose' the saved password if the application triggers the profile, but the location doesn't match. You don't have to lose anything but that saved password. An honest user will reenter their password once to save it again, a sneaky admin-type like me won't have the password so I'l have to get it the proper way. There are a TON of hospitals and medical facilities like ours adopting Thunderbird to protect themselves right now, they are NOT good at the kind of packet shaping or message filtering that a company would have to do to protect itself (in fact we are barred by regulation from filtering email on the way in, which means without educated users we are very vulnerable), and they have a ton of bandwidth, so an infection here could cause considerable harm to the net at large. I understand the conditions for this are very precise, but if they exist in other places they are very, very exploitable. I am about to begin testing it under WinXP and on a few other machines to verify. It's worked 3 times so far on computers in that same department. Reproducible: Always Steps to Reproduce: 1. User saves password in Thunderbird. 2. Log into the user's PC as Administrator. 3. Copy their entire 'Application Data\Mozilla Thunderbird' profile over the Administrator's. 4. Open Thunderbird as Administrator and read user's email, copy folders, send email as user, etc. Actual Results: Thunderbird in Administrator login behaves like it was the user's Thunderbird, sends mail as user, checks user's mail. Expected Results: It should have noticed it was stored in a different place, and then denied access or at least requested re-entry of the password. Haven't tested it with Mozilla regular or Netscape, don't plan to. This 'bug/security hole/exploit' benefitted me here, but I run a pretty limited network for some limited users, sharper users could read each other's email, masquerade as them, or run VB Scripts against this problem.
Reporter | ||
Comment 1•19 years ago
|
||
Guys I think we have a problem, I just reproduced this with a fresh install of Thunderbird 1.0.6 on a machine and profile that didn't have any mozilla software before. I have a clean install of Windows down the hall I can test it out on, but so far this is coming up the same every time.
Comment 2•19 years ago
|
||
Thunderbird can't prevent administrators from seeing users' passwords and other profile data.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•