specific security issue with user profiles - easy exploit

RESOLVED INVALID

Status

RESOLVED INVALID
13 years ago
13 years ago

People

(Reporter: powers.jason, Assigned: dveditz)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: http://download.mozilla.org/?product=thunderbird-1.0.6&os=win&lang=en-US

I bet I'm not the first to find this, but it's a pretty big hole and I'm maybe
not searching the archive right, I dug around a bit and saw nothing, so I'm
going to file it to you anyway to make sure. It is not my intention to waste
your time with this, but I am marking it a Security Issue below.

I have a 150 PC LAN, Win2k Pro, users are all User accounts, not Power Users
(they have no access to anything, really). The machines all run Thunderbird for
their email client. The server's Cyrus-Imap with TLS, no nested folders. The
users tend to save their passwords so that they can log into their windows
account, open thunderbird and the email pops up without them typing their
passwords again. Thunderbird Profiles are saved in the default location:
Documents and Settings/username/Applicaiton Data/Mozilla Thunderbird.

We had a user go out on unannounced sabbatical, which is a rare thing here, then
he went AWOL. He is the only person who recieves time-sensitive emails on a
certain subject, so I was asked to give his email to his supervisor. I can't do
this on the server anymore, it's locked down now, so:

Grasping at straws, I logged into the machine as Administrator and copied the
user's entire Documents and Settings/username/Applicaiton Data/Mozilla
Thunderbird/... directory over the Administrator's same directory, then opened
Thunderbird as the Administrator... it loaded his mail! All of it. I got all of
his local and remote folders, Inbox, I can send and recieve, etc. This is what I
needed in this circumstance so I'm happy, but it occurs to me that if other
organizations are set up this way than it would be easy to run an Outlook-style
exploit on the network: typical SMB worm through windows shares, copies all of
these profiles into Admin, runs thunderbird to check their mail, farms all of
the email addys, uses the machine as a spambox.

I understand this 'security hole' has more to do with Windows' retardation than
your program, however I put this bug report here because it would be easier for
you to protect users against it than MS. As part of the encoded data in the
profile, include the present full folder location (C:\Documents and
Settings\username\Application Data\Mozilla Thunderbird\etc.etc.etc.), then
'lose' the saved password if the application triggers the profile, but the
location doesn't match. You don't have to lose anything but that saved password.
An honest user will reenter their password once to save it again, a sneaky
admin-type like me won't have the password so I'l have to get it the proper way.

There are a TON of hospitals and medical facilities like ours adopting
Thunderbird to protect themselves right now, they are NOT good at the kind of
packet shaping or message filtering that a company would have to do to protect
itself (in fact we are barred by regulation from filtering email on the way in,
which means without educated users we are very vulnerable), and they have a ton
of bandwidth, so an infection here could cause considerable harm to the net at
large.

I understand the conditions for this are very precise, but if they exist in
other places they are very, very exploitable. I am about to begin testing it
under WinXP and on a few other machines to verify. It's worked 3 times so far on
computers in that same department.

Reproducible: Always

Steps to Reproduce:
1. User saves password in Thunderbird.
2. Log into the user's PC as Administrator.
3. Copy their entire 'Application Data\Mozilla Thunderbird' profile over the
Administrator's.
4. Open Thunderbird as Administrator and read user's email, copy folders, send
email as user, etc.
Actual Results:  
Thunderbird in Administrator login behaves like it was the user's Thunderbird,
sends mail as user, checks user's mail.

Expected Results:  
It should have noticed it was stored in a different place, and then denied
access or at least requested re-entry of the password.

Haven't tested it with Mozilla regular or Netscape, don't plan to. This
'bug/security hole/exploit' benefitted me here, but I run a pretty limited
network for some limited users, sharper users could read each other's email,
masquerade as them, or run VB Scripts against this problem.
(Reporter)

Comment 1

13 years ago
Guys I think we have a problem, I just reproduced this with a fresh install of
Thunderbird 1.0.6 on a machine and profile that didn't have any mozilla software
before. I have a clean install of Windows down the hall I can test it out on,
but so far this is coming up the same every time.

Comment 2

13 years ago
Thunderbird can't prevent administrators from seeing users' passwords and other
profile data.
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.