Thunderbird for macOS (Version 102.2.1) contains a vulnerability to enable Gatekeeper bypass.
Categories
(Thunderbird :: Security, defect)
Tracking
(thunderbird_esr102 fixed, thunderbird105 wontfix, thunderbird106 fixed)
People
(Reporter: tsunekou1019, Assigned: rjl)
Details
(Keywords: sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(3 files)
|
2.68 MB,
video/mp4
|
Details | |
|
380.93 KB,
application/zip
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-esr102+
|
Details | Review |
Summary:
Thunderbird for macOS (Version 102.2.1) contains a vulnerability to enable Gatekeeper bypass.
Background (Gatekeeper):
Gatekeeper is a security mechanism of recent macOS to prevent the execution of an unverified application. This feature builds upon File Quarantine, which works by adding com.apple.quarantine attribute to downloaded files. When an application with com.apple.quarantine attribute is launched, Gatekeeper checks its code signature and its notarization requirement. If these checks are failed, the application is not executed. Files without com.apple.quarantine.attribute are regarded as local files, i.e., these files are trusted, and Gatekeeper does not check these files. com.apple.quarantine attribute is typically added to files downloaded from the internet by applications such as Safari and macOS mail client.
Vulnerability Descriptions:
Thunderbird for macOS does not add com.apple.quarantine attribute to files attached to e-mails. So, when the attached file (e.g., zipped application bundle) is saved locally and executed, its code signature and notarization requirement are not checked.
Steps to reproduce:
- Save a file attached to an e-mail. In this example, an application bundle named Test.app (not code-signed nor nortaralized) is zipped and attached to the e-mail as Test.zip.
- Check the extended file attribute of Test.zip by running the xattr command. We cannot check com.apple.quarantine attribute.
- Unarchive Test.zip and run extracted Test.app. Gatekeeper does not check its execution. So, Test.app is successfully launched even though it is not code-signed nor notarized.
I have also attached PoC movie. Please check it.
Suggested fix:
com.apple.quarantine attribute should be added to files attached to e-mails. We can manually add this attribute by calling setResourceValuves(_:) (https://developer.apple.com/documentation/foundation/url/1779940-setresourcevalues). For more details, see the talk by Patrick Wardle (https://archive.org/details/Gatekeeper_Exposed).
|
Reporter | |
Updated•2 years ago
|
|
|
Reporter | |
Comment 1•2 years ago
|
||
PoC movie
|
Assignee | |
Comment 2•2 years ago
|
||
A quick search of mozilla-central didn't turn up any use of setResourceValues. However, in the Info.plist file shipped with Firefox, LSFileQuarantineEnabled is set to true. Per https://developer.apple.com/documentation/bundleresources/information_property_list/lsfilequarantineenabled?language=objc, "A Boolean value indicating whether the files this app creates are quarantined by default.". It's not set in Thunderbird's Info.plist. Should be easy enough to check.
|
|
Reporter | |
Comment 3•2 years ago
|
||
It seems to be better solution to set LSFileQuarantineEnabled to true. For other mail client such as Microsoft Outlook, LSFileQuarantineEnabled of Info.plist is set to true as follows. So, it would be ok.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>DTPlatformVersion</key>
<string>12.3</string>
<key>DTSDKBuild</key>
<string>21E226</string>
<key>NSAppleScriptEnabled</key>
<string>Yes</string>
<key>LSFileQuarantineEnabled</key>
<true/>
<key>NSPrincipalClass</key>
<string>CErageCocoaApp</string>
<key>OneAuthConfiguration</key>
<dict>
<key>OneAuthApplicationName</key>
<string>Microsoft Outlook</string>
<key>OneAuthApplicationID</key>
<string>com.microsoft.Outlook</string>
</dict>
...
|
|
Assignee | |
Comment 4•2 years ago
|
||
Attaching a very simple macOS application bundle that can be used for testing. The executable itself is a bash script that runs an osascript command to display a 'Hello World' dialog.
I tested by emailing the poc.zip file to a test account. I saved it to the Desktop and checked the output of xattr -l poc.zip. The com.apple.quarantine attribute was not present.
After unzipping, I was able to execute the test application and the dialog displayed.
|
|
Assignee | |
Comment 5•2 years ago
|
||
There's some good information in bug 1305339.
Most interesting is bug 1305339 comment 16, which refers to an Exceptions.plist file that is part of the OS and enforces the quarantining. That file does include org.mozilla.thunderbird, which is the bundle id in Thunderbird release and beta builds. Daily would be org.mozilla.thunderbird-daily. But it doesn't seem to be working.
One thing I had been concerned about, setting LSFileQuarantineEnabled means that all files created by the application will have com.apple.quarantine set. I was wondering if the profile directory would need any special handling. But, on my Mac, I can see that the Firefox profile files all have the attribute set, so it should be okay for Thunderbird as well. Nothing would be executing out of there anyway.
|
|
Assignee | |
Comment 6•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 7•2 years ago
|
||
I tested the patch in comment 6 with a local build (no try-c-c build). After saving the attachment, I verified that the com.apple.quarantine attribute was set. I also verified that it was set on the application bundle after unzipping. When I tried to run it, the untrusted developer/application popup appeared as expected.
|
||
Comment 8•2 years ago
|
||
Koh M. Nakagawa, thanks a lot for your report and your advice.
If I understand correctly, the user is still required to make the decision to execute the attachment.
Also, in previous versions of macos, the OS did not prevent the user to execute.
Is my understanding correct?
It's difficult to decide whether this bug is a security issue, or whether it's simply a "Thunderbird does not yet enable the new feature to make it more difficult to execute attached applications".
|
|
||
Comment 9•2 years ago
|
||
Tom or Freddy, what's your opinion, omission bug, or security issue?
|
|
Reporter | |
Comment 10•2 years ago
|
||
If I understand correctly, the user is still required to make the decision to execute the attachment.
Yes. User interaction is still required.
Also, in previous versions of macos, the OS did not prevent the user to execute.
Yes, but Gatekeeper was introduced in Mac OS X Lion (10.7.5), which was released about 10 years ago. So, few users use such old macOS that do not prevent the user to execute.
It's difficult to decide whether this bug is a security issue, or whether it's simply a "Thunderbird does not yet enable the new feature to make it more difficult to execute attached applications".
Similar bugs have been treated as security issues before, e.g., CVE-2019-17051 (https://www.cvedetails.com/cve/CVE-2019-17051/). So, I think this is also regarded as a security issue.
|
||
Comment 11•2 years ago
|
||
Yeah, I'd say this is a sec-low type issue.
|
|
||
Comment 13•2 years ago
•
|
||
Please review this suggested CVE wording.
CVE-??:
title: Attachment files saved to disk on macOS could be executed without warning
impact: low
reporter: Koh M. Nakagawa
description: |
When saving or opening an email attachment on macOS, Thunderbird
did not set attribute com.apple.quarantine on the received file. If the
received file was an application and the user attempted to open it,
then the application was started immediately without asking the user
to confirm.
the
bugs:
- url: 1789061
|
|
||
Comment 14•2 years ago
|
||
note: I've modified the previous comment and suggested wording.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 15•2 years ago
|
||
|
|
Assignee | |
Comment 16•2 years ago
|
||
Verified on Thunderbird Daily (2022-09-08).
|
|
Assignee | |
Comment 17•2 years ago
|
||
Comment on attachment 9293022 [details]
Bug 1789061 - Update macOS Info.plist. r=kaie
[Approval Request Comment]
Regression caused by (bug #): N/A
User impact if declined: Users are potentially able to run emailed apps without a quarantine popup
Testing completed (on c-c, etc.): comm-central
Risk to taking this patch (and alternatives if risky):
Should be low risk, Firefox has been setting the quarantine attribute on created files for some time now.
|
||
Comment 18•2 years ago
|
||
Comment on attachment 9293022 [details]
Bug 1789061 - Update macOS Info.plist. r=kaie
[Triage Comment]
Approved for beta
|
|
||
Comment 19•2 years ago
|
||
Comment on attachment 9293022 [details]
Bug 1789061 - Update macOS Info.plist. r=kaie
[Triage Comment]
Approved for esr102
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 20•2 years ago
|
||
Comment on attachment 9293022 [details]
Bug 1789061 - Update macOS Info.plist. r=kaie
Didn't get into 105.0beta. Will be in 106.0b1 next week.
|
|
Assignee | |
Comment 21•2 years ago
|
||
| uplift | ||
|
|
Reporter | |
Comment 22•6 months ago
|
||
Hello.
I plan to disclose the details of this vulnerability at CODE BLUE 2023, but is it OK? Are there any restrictions to this?
|
||
Comment 23•6 months ago
|
||
I don't think so, this has been fixed on release for over a year.
|
|
Reporter | |
Comment 24•6 months ago
|
||
OK. Thank you.
|
|
||
Comment 25•6 months ago
|
||
I agree, it's ok to disclose.
|
||
Updated•6 months ago
|
Description
•