Closed
Bug 300246
(sa15907)
Opened 19 years ago
Closed 19 years ago
Spoofing via attachment dragging
Categories
(Thunderbird :: Mail Window Front End, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
Thunderbird1.1
People
(Reporter: dveditz, Assigned: mscott)
References
Details
(Keywords: fixed-seamonkey1.1.3, Whiteboard: [sg:spoof][approval‑seamonkey1.1.3+])
Attachments
(4 files, 1 obsolete file)
|
1.55 KB,
application/octet-stream
|
Details | |
|
3.44 KB,
patch
|
mscott
:
superreview+
timr
:
approval-aviary1.0.8-
|
Details | Diff | Splinter Review |
|
1.94 KB,
patch
|
neil
:
review+
neil
:
superreview+
|
Details | Diff | Splinter Review |
|
3.51 KB,
patch
|
neil
:
review+
neil
:
superreview+
|
Details | Diff | Splinter Review |
From Andreas Sandblad, Secunia Research -- SA15907: Mozilla Thunderbird Attachment Spoofing Vulnerability -- Secunia Research has discovered a vulnerability in Thunderbird, which can be exploited by malicious people to trick users into downloading malicious attachments. The vulnerability is caused due to attachments not being displayed correctly in mails. This can be exploited to spoof the file extension and the associated file type icon via a combination of overly long filenames containing whitespaces and "Content-Type" headers not matching the file extension. Successful exploitation may lead to malware being saved to e.g. the desktop. NOTE: Attachments can be saved by dragging the attachment or using the "Save As..." or "Save All..." functionality. For files on the desktop the icon can be spoofed if it e.g. is a ".exe" or ".lnk" file. -- PoC (Proof of Concept) -- The raw mail source to be sent can be found in mail.txt (in poc.zip). It is recommended to send it manually via a telnet session. E.g: telnet <SMTP server> 25 HELO <SMTP server> MAIL FROM: <FROM> RCPT TO: <TO> DATA <mail.txt> . QUIT Open mail, drag attachment to desktop and double click on it (see attached screendumps). "You are vulnerable!" should be displayed in a dos window. -- The vulnerability has been confirmed in Thunderbird 1.0.2 for Windows. Other versions may also be affected. Discovered by: Andreas Sandblad, Secunia Research
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Comment 2•19 years ago
|
||
If you "Open" the attachment (double-click) you get the helper-app dialog which truncates on the left and strips out extra spaces to show the true .lnk extension, although it does say "which is a: Text Document" because of the Content-Type: text/plain. The dialog defaults to "Save", but the "Open" choice is not disabled as it should be for executable types, but is harmless because we'll open it in the default text handler (e.g. notepad). But if you drag it you never see that, and by default the windos OS is going to hide the .lnk extension There's some similarity to the Michael Krax "firedragging" bug 279945. That fix was specific to image dragging code, though, and that approach probably doesn't work here: we can't just neuter executable extensions because it might actually be a legitimate executable the user wants. If we kept the true extension from getting pushed off the side that would go a long way toward preventing this type of spoofing. Like the helper app dialog we need to squeeze out runs of spaces, and truncate on the left if necessary to keep the end of the filename visible.
Whiteboard: [sg:spoof]
|
|
Reporter | |
Updated•19 years ago
|
Alias: sa15907
|
|
Reporter | |
Updated•19 years ago
|
Flags: blocking1.8b4?
Flags: blocking-aviary1.0.6?
|
Assignee | |
Comment 3•19 years ago
|
||
I'll try to look at this. If you know where the helper app code lives that does this fix up, that would help.
Status: NEW → ASSIGNED
Flags: blocking1.8b4? → blocking1.8b4+
Target Milestone: --- → Thunderbird1.1
|
|
Assignee | |
Comment 4•19 years ago
|
||
It looks like crop="center" now works! So I backed out our change to Bug #245331 which allowed the attachment name to have an arbitrary width so we would never truncate off the extension. Now each attachment name is given 15em again. We then crop long names in the middle. I copied the code the external helper app dialog is using to strip down chunks of white space into a single space. All of these issues are desireable UI changes. The plus side is that fixing them the way we wanted them all along also fixes this security issue.
Attachment #190485 -
Flags: superreview?(bienvenu)
|
||
Comment 5•19 years ago
|
||
Comment on attachment 190485 [details] [diff] [review] the fix cool
Attachment #190485 -
Flags: superreview?(bienvenu) → superreview+
|
|
Assignee | |
Comment 6•19 years ago
|
||
includes the changes to pinstripe in case this patch lands on a branch
Attachment #190485 -
Attachment is obsolete: true
Attachment #190646 -
Flags: superreview+
|
|
Assignee | |
Comment 7•19 years ago
|
||
Dan, I've checked this in and we now get rid of the extra white space and we crop the file name so you always see the extension. Let me know if there's more work you'd like to see here.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•19 years ago
|
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Flags: blocking-aviary1.0.7?
|
|
Reporter | |
Updated•19 years ago
|
Group: security
|
|
Reporter | |
Comment 8•19 years ago
|
||
Comment on attachment 190646 [details] [diff] [review] fix for checking in a=dveditz for drivers
Attachment #190646 -
Flags: approval-aviary1.0.8+
|
||
Comment 9•19 years ago
|
||
Too late for 1.0.8/1.7.14.
Flags: blocking-aviary1.0.9?
Flags: blocking-aviary1.0.8-
Flags: blocking-aviary1.0.8+
|
|
||
Comment 10•19 years ago
|
||
Comment on attachment 190646 [details] [diff] [review] fix for checking in Too late for 1.0.8
Attachment #190646 -
Flags: approval-aviary1.0.8+ → approval-aviary1.0.8-
|
|
Reporter | |
Updated•19 years ago
|
Flags: blocking-aviary1.0.7?
|
||
Comment 11•17 years ago
|
||
Changes needed for SeaMonkey's attachment box. I did only strip trailing whitespace to avoid Windows dropping them in filename extensions; inner whitespace will be caught by the crop attribute anyway. The patch is against trunk, but should apply to branch with no real changes. Requesting approval‑seamonkey1.1.3 via whiteboard. :-/
Attachment #271260 -
Flags: superreview?(neil)
Attachment #271260 -
Flags: review?(neil)
|
|
||
Updated•17 years ago
|
Whiteboard: [sg:spoof] → [sg:spoof][approval‑seamonkey1.1.3?]
|
||
Comment 12•17 years ago
|
||
a=me for 1.1.3 given this get positive reviews.
Whiteboard: [sg:spoof][approval‑seamonkey1.1.3?] → [sg:spoof][approval‑seamonkey1.1.3+]
|
||
Updated•17 years ago
|
Attachment #271260 -
Flags: superreview?(neil)
Attachment #271260 -
Flags: superreview+
Attachment #271260 -
Flags: review?(neil)
Attachment #271260 -
Flags: review+
|
|
||
Comment 13•17 years ago
|
||
Comment on attachment 271260 [details] [diff] [review] SeaMonkey patch Landed on trunk and MOZILLA_1_8_BRANCH without the superfluous regexp's g flag.
|
|
||
Updated•17 years ago
|
Keywords: fixed-seamonkey1.1.3
|
|
||
Comment 14•17 years ago
|
||
As David pointed out in bug 386855, we need to correct the File->Attachments menu also: you could choose "Open" and have it configured to automatically launch an application...
Attachment #271708 -
Flags: superreview?(neil)
Attachment #271708 -
Flags: review?(neil)
|
|
||
Comment 15•17 years ago
|
||
Comment on attachment 271708 [details] [diff] [review] also fix SM's attachment menu a=me for 1.1.3 given it passes review (per IRC request)
|
|
||
Updated•17 years ago
|
Attachment #271708 -
Flags: superreview?(neil)
Attachment #271708 -
Flags: superreview+
Attachment #271708 -
Flags: review?(neil)
Attachment #271708 -
Flags: review+
|
|
||
Comment 16•17 years ago
|
||
Comment on attachment 271708 [details] [diff] [review] also fix SM's attachment menu Landed on trunk and MOZILLA_1_8_BRANCH.
|
|
||
Updated•16 years ago
|
Flags: blocking-aviary1.0.9?
You need to log in
before you can comment on or make changes to this bug.
Description
•