Open
Bug 1475720
Opened 6 years ago
Updated 2 years ago
NS_MSG_DISPLAY_HOOK envar isn't sanitized which enables arbitrary code execution
Categories
(Thunderbird :: General, defect)
Tracking
(Not tracked)
NEW
People
(Reporter: jsbruner, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: sec-other)
Attachments
(1 file)
|
2.00 KB,
text/plain
|
Details |
If a user's environment variables can be attacker controlled, they can be used to cause privilege escalation / code execution.
(Note that TB's threat model may assume the environment is trusted, in which case this is a functional bug and not a security bug. For reference, according to Alex_Gaynor, Fx does NOT consider this part of their threat model.)
[ Steps to Reproduce ]
1. Close Thunderbird
2. Set export NS_MSG_DISPLAY_HOOK to some malicious/other application. For instance, "export NS_MSG_DISPLAY_HOOK=ping"
3. Execute Thunderbird via the command line.
4. Click on a message and view it.
[ Actual Results ]
Somewhere between 3-4, you should see something like:
"usage: ping [-AaDdfnoQqRrv] [-c count] [-G sweepmaxsize]
[-g sweepminsize] [-h sweepincrsize] [-i wait]
[-l preload] [-M mask | time] [-m ttl] [-p pattern]
[-S src_addr] [-s packetsize] [-t timeout][-W waittime]
[-z tos] host
ping [-AaDdfLnoQqRrv] [-c count] [-I iface] [-i wait]
[-l preload] [-M mask | time] [-m ttl] [-p pattern] [-S src_addr]
[-s packetsize] [-T ttl] [-t timeout] [-W waittime]
[-z tos] mcast-group
Apple specific options (to be specified before mcast-group or host like all options)
-b boundif # bind the socket to the interface
-k traffic_class # set traffic class socket option
-K net_service_type # set traffic class socket options
-apple-connect # call connect(2) in the socket
-apple-time # display current time"
Which demonstrates that ping was executed.
[ Expected Results ]
The specified command (in this case "ping") should not be executed.
[ Relevant code ]
The issue lies in the MimeHeaders_do_unix_display_hook_hack function in mailnews/mime/src/mimehdrs.cpp
That function reads the envar:
cmd = getenv("NS_MSG_DISPLAY_HOOK");
and then calls popen with that:
FILE *fp = popen(cmd, "w");
Notice also that this whole function is wrapped in a #ifdef XP_UNIX block, so it affects Linux and MacOS.
[ Recommendation ]
Perform sanitation before calling popen in MimeHeaders_do_unix_display_hook_hack.
|
||
Comment 1•6 years ago
|
||
The comments here say "The command is expected to be safe from hostile input!!" which matches the Firefox threat model and can probably be unhidden
Still, it's very old code predating the first hg check-in so hard to know who wrote "This piece of junk is so that I can use BBDB with Mozilla." If no one still needs anything like this it's best to rip this code out.
Flags: needinfo?(vseerror)
Keywords: sec-other
|
||
Comment 2•6 years ago
|
||
Technical question, so redirecting
Flags: needinfo?(vseerror) → needinfo?(mkmelin+mozilla)
|
||
Comment 3•6 years ago
|
||
I agree this model should assume the environment is trusted. Otherwise an attacker could just as well associate the thunderbird command to do arbitrary actions.
That said, this is probably very known code and should be removed, preferably after we implement bug 80439 which should cover the use case in a more general and discover-able fashion.
Group: mail-core-security
Flags: needinfo?(mkmelin+mozilla)
Summary: NS_MSG_DISPLAY_HOOK envar isn't sanitized which enables arbitrary code execution / priv esclation. → NS_MSG_DISPLAY_HOOK envar isn't sanitized which enables arbitrary code execution
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•