Closed Bug 1212138 Opened 9 years ago Closed 9 years ago

Information leakage using <img src> with news or nntp URI scheme

Categories

(Thunderbird :: Security, defect)

38 Branch
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 968342

People

(Reporter: a, Unassigned)

Details

(Keywords: privacy, reporter-external, sec-moderate)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Build ID: 20150511103303 Steps to reproduce: Opened a crafted HTML email such as the following: From alech@alech.invalid Sun Mar 6 16:11:05 2011 To: alech@alech.invalid From: Alexander Klink <alech@alech.invalid> Subject: nntp url leaking Message-ID: <56141D44.4000209@test.invalid> Date: Tue, 6 Oct 2015 21:13:08 +0200 Content-Type: text/html <img src="nntp://0x90.eu/foo/123"> Alternatively, news://0x90.eu works, too. (news://0x90.eu/foo/123 pops up a dialog asking whether I want to subscribe to foo). Actual results: Thunderbird creates an NNTP connection to 0x90.eu, thus leaking the user's IP address (which is prevented when using HTTP). On 0x90.eu, I created a fake NNTP server using # cat nntp.sh #!/bin/sh /bin/echo -e "500 wombatvax news server ready - posting ok\r" read line # socat -v -D TCP-LISTEN:nntp,fork,reuseaddr,ip-pktinfo EXEC:./nntp.sh In the socat output, it can be seen that Thunderbird connects to the server and then sends a QUIT command: < 2015/10/07 00:53:36.859143 length=46 from=0 to=45 500 wombatvax news server ready - posting ok\r > 2015/10/07 00:53:36.989454 length=6 from=0 to=5 QUIT\r Expected results: Thunderbird should not have created a TCP connection without the user's consent (similar to the "remote image loading" dialog, when HTTP is used for the same purpose).
In addition, for every such host, a new news server is automatically created in the GUI, which would allow attackers to put information in the GUI until the user realizes how to delete news servers ...
I just verified it also on the nightly (44.0a1, 2015-10-06).
The snews: URI scheme is also affected.
Flags: sec-bounty?
Wayne: doesn't the Thunderbird nsIContentPolicy for the message pane block these? Can you confirm this?
Flags: needinfo?(vseerror)
(In reply to Daniel Veditz [:dveditz] from comment #5) > Wayne: doesn't the Thunderbird nsIContentPolicy for the message pane block > these? Can you confirm this? Joshua or Kent probably know
Flags: needinfo?(vseerror) → needinfo?(rkent)
I didn't verify exactly where in the code this is not blocked, but nsMsgContentPolicy has a list of "exposed protocols", quote: * Determines if the content location is a scheme that we're willing to expose * for unlimited loading of content. cf. http://hg.mozilla.org/comm-central/file/fb83f130e2d5/mailnews/base/src/nsMsgContentPolicy.cpp#l384 and around. The list is the following: mailto, news, snews, nntp, imap, addbook, pop, mailbox, about. I couldn't manage to get any connections using imap or pop, I assume the other ones are unable to make remote connections, anyways.
(In reply to Daniel Veditz [:dveditz] from comment #5) > Wayne: doesn't the Thunderbird nsIContentPolicy for the message pane block > these? Can you confirm this? In some sense, they're necessary, since we rewrite cid: links in files to the message URL + some extra query parameters. This is a dupe of at least bug 968342, and I think there's another one, but I'm not finding that one right now.
I should add that the type of a news://server/group check should be something like application/x-message-newsgroup, which should prevent it from being usable as a subdocument resource. Although bug 108203 would probably preempt any sort of leak here, to the extent that anything can be prevented (note that URLs like <news://news.mozilla.org/mozilla.dev.apps.thunderbird> or the article format are perfectly valid URLs that we'd want to handle if someone clicks on them in a webpage).
I don't really see how bug 108203 would prevent anything there, can you elaborate please? Also, this is not about clicking on it (which I'd consider a perfectly valid non-information-leaky use case), but use in an image source. Has anyone tried my original test case?
Sorry that should be bug 108293. (The irony is that the typo still refers to an NNTP bug). Fundamentally, the code paths that go through an image source versus clicking on something are remarkably similar--you're requesting a URL load in the backend either way.
Ah, OK, 10829 makes more sense :-). Well, for privacy reasons, I still believe this load should not happen in the first place. I assume most Thunderbird users have no idea what NNTP and newsgroups actually are ... Also, as mentioned in comment 4, the UI doesn't even mention newsgroups in some cases, making it potentially even more confusing for users.
Joshua seems to be responding to the issues here.
Flags: needinfo?(rkent)
It's been ten days without contact. Any infos on how you plan to resolve this?
It's been nearly two months since the original report, any plans on resolving this bug?
(In reply to Joshua Cranmer [:jcranmer] from comment #8) > (In reply to Daniel Veditz [:dveditz] from comment #5) > > Wayne: doesn't the Thunderbird nsIContentPolicy for the message pane block > > these? Can you confirm this? > > In some sense, they're necessary, since we rewrite cid: links in files to > the message URL + some extra query parameters. > > This is a dupe of at least bug 968342, and I think there's another one, but > I'm not finding that one right now. Are you thinking of bug 968334 ? Reasonable to dup to bug 968342?
Flags: needinfo?(Pidgeot18)
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
(In reply to Wayne Mery (:wsmwk, use Needinfo for questions) from comment #16) > Reasonable to dup to bug 968342? Yep, although it's already been done. :-)
Flags: needinfo?(Pidgeot18)
Flags: sec-bounty? → sec-bounty+
Group: mail-core-security
You need to log in before you can comment on or make changes to this bug.