389257 - Cross-application scripting vulnerability in SeaMonkey

Status: RESOLVED FIXED

(SeaMonkey :: Security, defect)

Description

[Thor Larholm]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070716 SeaMonkey/1.1.3

Firefox 2.0.0.5 and Thunderbird 2.0.0.5 included a command line argument called -osint which aims to prevent malicious argument injection through URL protocol handler abuse. 

SeaMonkey does not check the -osint argument. As such, it is possible to open the SeaMonkey suite from other browsers and specify arbitrary command line arguments, such as the -chrome argument.

The proof-of-concept exploit uses the mailto: URL protocol handler to open the Mail component of SeaMonkey.

This is similar to the vulnerability in http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/



Reproducible: Always

Steps to Reproduce:
1. Close any running SeaMonkey.exe instances
2. Open http://larholm.com/vuln/seamonkeymailto.html in Internet Explorer
3. SeaMonkey shows the alert

Comment 1

[Thor Larholm]

I didn't check the "security sensitive" flag on this report as it has already been detailed at http://larholm.com/2007/07/23/seamonkey-suite-affected-by-url-vulnerability/

Cheers

Comment 2

[Daniel Veditz [:dveditz]]

Checking the flag is still good -- it sends extra mail about the bug and we can always uncheck it. I didn't see this bug until well after I saw your blog post and started alerting people.

-> mcsmurf per folks on #seamonkey

Comment 3

[Bruno 'Aqualon' Escherl]

I tried to reproduce this with Gecko/20070716 SeaMonkey/1.1.3 and Windows XP SP2.

I closed SeaMonkey and opened above testcase in Internet Explorer 7. SeaMonkey started with a new mail compose window showing the following address:

me@nowhere.com -chrome "javascript:alert(1)"

So the -chrome argument got part of the mail address.

I also tried the same from the command line, using seamonkey.exe -compose me@nowhere.com -chrome "javascript:alert(1)"

Now I got a mail compose window and the alert box. What was different, I wasn't able to close SeaMonkey. Clicking on close removed the mail compose window but the process remained.

In my registry HKCR\mailto\shell\command contains that entry

C:\PROGRA~1\MOZILLA.ORG\SEAMON~1\SEAMON~1.EXE -compose %1

So I can't reproduce it with my system config.

Comment 4

[Robert Kaiser]

I can confirm on my WinXP SP2 laptop that using the testcase in the URL of this bug in IE7, SeaMonkey 1.1.3 comes up with only a compose window with even the -chrome in the To: line. No javascript alert, no vulnerability detected.

Can someone test this with IE6, maybe it behaves differently in this case. Else, I'm tempted to claim that this bug does not exist in SeaMonkey 1.1.3 (branch).

Comment 5

[Thor Larholm]

I have tested this with IE6 and SeaMonkey 1.1.3 on Windows XPSP2 and can confirm that I get the alert.

Comment 6

[neil@parkwaycc.co.uk]

Attachment: Branch patch

Comment 7

[Chris Thomas (CTho) [formerly cst@andrew.cmu.edu cst@yecc.com]]

Comment on attachment 274081 [details] [diff] [review]
Branch patch

I don't understand this.

Comment 8

[jag (Peter Annema)]

Comment on attachment 274081 [details] [diff] [review]
Branch patch

Let's make this a bit simpler:

#ifdef XP_WIN32
if (argc > 1 && !strcmp(argv[1], "-osint")) {
  if (argc > 4 || argc > 2 && argv[2][0] != '-' && argv[2][0] != '/')
    return 1;
}
#endif

or as Neil suggested:

#ifdef XP_WIN32
if (argc > 4 && !strcmp(argv[1], "-osint")) 
  return 1;
#endif

since we only have to worry about those cases where we ourselves put -osint on the command line, so we know it'll be followed by a '-' or '/'.

Comment 9

[neil@parkwaycc.co.uk]

Attachment: Simplified patch

We can probably assume that -osint is only going to be passed by applications launching us via the registery entries so we don't have to do extensive checking but simply test that we're not seeing unexpected numbers of arguments.

Comment 10

[Robert Kaiser]

Comment on attachment 274206 [details] [diff] [review]
Simplified patch

Once this has proper reviews (I hope this is very soon, we should really get 1.1.4 out the door), please check this in to both MOZILLA_1_8_BRANCH (1.1.5) and GECKO181_20070712_RELBRANCH (1.1.4)

Comment 11

[Ian Neal]

Comment on attachment 274206 [details] [diff] [review]
Simplified patch

r=me

Comment 12

[neil@parkwaycc.co.uk]

Fix checked in.