1411720 - (CVE-2018-5161) TBE-01-017: Multiple Hangs via malformed Headers

Status: RESOLVED FIXED

(MailNews Core :: MIME, defect)

Description

[Ben Bucksch (:BenB)]

An issue was discovered to let an attacker craft an email which causes the victim’s Thunderbird process to hang on receiving the message. For some test cases, the hang persisted across a restart of the Thunderbird software, thus making it impossible to use the application unless the email was deleted via the mail provider’s web interface. Below is an example of an email culprit.

Email which causes a hang:
Content-Type: text/plain
Subject: HANG!
From: evil@attacker
To: sad@victim
CC: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

meowmeow

Once the email is processed, Thunderbird freezes and consumes 100% of the CPU
resources. Moreover, the amount of used memory increases. This problem is caused by an escaping algorithm which processes the header field in a manner presented next

@@ => "@"@
@@@ => "\"@\"@"@
@@@@ => "\"\\\"@\\\"@\"@"@
@@@@@@ => "\"\\\"\\\\\\\"\\\\\\\\\\\\\\\"@\\\\\\\\\\\\\\\"@\\\\\\\"@\\\"@\"@"@

Adding @ characters to the header entry increases the length of the encoded string exponentially, thus resulting in high CPU and memory consumption. All header types permitted to contain email addresses, e.g. From, To, BCC, Resent-From, are affected by this issue. It is recommended to review and fix the escaping algorithm to avoid Denial of Service and foster more robust parsing.

For the original report as PDF; see bug 1411701.

Comment 1

[Wayne Mery (:wsmwk)]

Sounds like bug 1293245

Comment 2

[Daniel Veditz [:dveditz]]

Calling this sec-moderate if the DOS persists across restarts. If it's a startup DOS with no way to clear it short of hand-editing mailbox files we could call it sec-high.

Comment 3

[Ben Bucksch (:BenB)]

xref bug 1293245

Magnus says this is in JSMime

Comment 5

[Philipp Kewisch [:Fallen][📱📆]]

Magnus, can you suggest a fix for this issue, or at least an analysis for the cause?

Comment 6

[Wayne Mery (:wsmwk)]

(In reply to Daniel Veditz [:dveditz] from comment #2)
> Calling this sec-moderate if the DOS persists across restarts. If it's a
> startup DOS with no way to clear it short of hand-editing mailbox files we
> could call it sec-high.

In bug 1293245 comment 10 I provide expanded information about a crash I experienced while testing. I haven't yet been able to speak with the crashing users to confirm, but I think it is possible some users may repeatedly hang or crash on restart.

Comment 7

[Magnus Melin [:mkmelin]]

I believe the issue is around here: https://dxr.mozilla.org/comm-central/rev/bdfa5f49559ea2934ac930efd731ec5c5d5cc3ae/mailnews/mime/jsmime/jsmime.js#890 - but I could be wrong.

Comment 8

[Magnus Melin [:mkmelin]]

Attachment: bug1411720_malformed_header_hang.patch

This seems to do it.

Try (still running): https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=3fba1aabcfda482850e3d791b1a54e8ba2452fb9

Comment 9

[Magnus Melin [:mkmelin]]

Attachment: bug1293245_@@@hang.eml (testcase)

Test case. Just open this to hang.

Comment 10

[Magnus Melin [:mkmelin]]

The patch also fixes bug 1293245.

Comment 11

[Jorg K (CEST = GMT+2)]

Comment on attachment 8953864 [details] [diff] [review]
bug1411720_malformed_header_hang.patch

Looks reasonable and passes all the tests, including the new ones ;-)
Thanks for taking this on and sorry about the delay in reviewing this.

Comment 12

[Jorg K (CEST = GMT+2)]

https://hg.mozilla.org/comm-central/rev/9d5235fbda18ee290a2731bb20126a6fda92452f
prevent hang with malformed headers. r=jorgk

Comment 13

[Jorg K (CEST = GMT+2)]

Comment on attachment 8953864 [details] [diff] [review]
bug1411720_malformed_header_hang.patch

Already landed on TB 60.

Comment 14

[Jorg K (CEST = GMT+2)]

TB 52.8 ESR:
https://hg.mozilla.org/releases/comm-esr52/rev/162f2e1f956d59f134d9bf4c7da5032ec0e837dc