Cross-application scripting vulnerability in SeaMonkey

RESOLVED FIXED

Status

SeaMonkey
Security
--
critical
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: Thor Larholm, Assigned: neil@parkwaycc.co.uk)

Tracking

({fixed-seamonkey1.1.4, fixed-seamonkey1.1.5})

1.8 Branch
x86
Windows XP
fixed-seamonkey1.1.4, fixed-seamonkey1.1.5
Bug Flags:
blocking-seamonkey1.1.4 +

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment, 1 obsolete attachment)

2.47 KB, patch
Ian Neal
: review+
jag (Peter Annema)
: superreview+
Details | Diff | Splinter Review
(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070716 SeaMonkey/1.1.3

Firefox 2.0.0.5 and Thunderbird 2.0.0.5 included a command line argument called -osint which aims to prevent malicious argument injection through URL protocol handler abuse. 

SeaMonkey does not check the -osint argument. As such, it is possible to open the SeaMonkey suite from other browsers and specify arbitrary command line arguments, such as the -chrome argument.

The proof-of-concept exploit uses the mailto: URL protocol handler to open the Mail component of SeaMonkey.

This is similar to the vulnerability in http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/



Reproducible: Always

Steps to Reproduce:
1. Close any running SeaMonkey.exe instances
2. Open http://larholm.com/vuln/seamonkeymailto.html in Internet Explorer
3. SeaMonkey shows the alert
(Reporter)

Comment 1

10 years ago
I didn't check the "security sensitive" flag on this report as it has already been detailed at http://larholm.com/2007/07/23/seamonkey-suite-affected-by-url-vulnerability/

Cheers
(Assignee)

Updated

10 years ago
Depends on: 384384
Checking the flag is still good -- it sends extra mail about the bug and we can always uncheck it. I didn't see this bug until well after I saw your blog post and started alerting people.

-> mcsmurf per folks on #seamonkey
Assignee: dveditz → bugzilla
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → SeaMonkey 1.1 Branch

Updated

10 years ago
Version: SeaMonkey 1.1 Branch → unspecified

Updated

10 years ago
Version: unspecified → 1.8 Branch

Updated

10 years ago
Flags: blocking-seamonkey1.1.4?
I tried to reproduce this with Gecko/20070716 SeaMonkey/1.1.3 and Windows XP SP2.

I closed SeaMonkey and opened above testcase in Internet Explorer 7. SeaMonkey started with a new mail compose window showing the following address:

me@nowhere.com -chrome "javascript:alert(1)"

So the -chrome argument got part of the mail address.

I also tried the same from the command line, using seamonkey.exe -compose me@nowhere.com -chrome "javascript:alert(1)"

Now I got a mail compose window and the alert box. What was different, I wasn't able to close SeaMonkey. Clicking on close removed the mail compose window but the process remained.

In my registry HKCR\mailto\shell\command contains that entry

C:\PROGRA~1\MOZILLA.ORG\SEAMON~1\SEAMON~1.EXE -compose %1

So I can't reproduce it with my system config.

Comment 4

10 years ago
I can confirm on my WinXP SP2 laptop that using the testcase in the URL of this bug in IE7, SeaMonkey 1.1.3 comes up with only a compose window with even the -chrome in the To: line. No javascript alert, no vulnerability detected.

Can someone test this with IE6, maybe it behaves differently in this case. Else, I'm tempted to claim that this bug does not exist in SeaMonkey 1.1.3 (branch).
(Reporter)

Comment 5

10 years ago
I have tested this with IE6 and SeaMonkey 1.1.3 on Windows XPSP2 and can confirm that I get the alert.
(Assignee)

Comment 6

10 years ago
Created attachment 274081 [details] [diff] [review]
Branch patch
Attachment #274081 - Flags: superreview?(jag)
Attachment #274081 - Flags: review?(cst)
Comment on attachment 274081 [details] [diff] [review]
Branch patch

I don't understand this.
Attachment #274081 - Flags: review?(cst)
(Assignee)

Updated

10 years ago
Attachment #274081 - Flags: review?(iann_bugzilla)

Comment 8

10 years ago
Comment on attachment 274081 [details] [diff] [review]
Branch patch

Let's make this a bit simpler:

#ifdef XP_WIN32
if (argc > 1 && !strcmp(argv[1], "-osint")) {
  if (argc > 4 || argc > 2 && argv[2][0] != '-' && argv[2][0] != '/')
    return 1;
}
#endif

or as Neil suggested:

#ifdef XP_WIN32
if (argc > 4 && !strcmp(argv[1], "-osint")) 
  return 1;
#endif

since we only have to worry about those cases where we ourselves put -osint on the command line, so we know it'll be followed by a '-' or '/'.
Attachment #274081 - Flags: superreview?(jag) → superreview-
(Assignee)

Comment 9

10 years ago
Created attachment 274206 [details] [diff] [review]
Simplified patch

We can probably assume that -osint is only going to be passed by applications launching us via the registery entries so we don't have to do extensive checking but simply test that we're not seeing unexpected numbers of arguments.
Assignee: bugzilla → neil
Attachment #274081 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #274206 - Flags: superreview?(jag)
Attachment #274206 - Flags: review?(iann_bugzilla)
Attachment #274081 - Flags: review?(iann_bugzilla)

Updated

10 years ago
Attachment #274206 - Flags: superreview?(jag) → superreview+

Updated

10 years ago
Flags: blocking-seamonkey1.1.4? → blocking-seamonkey1.1.4+

Comment 10

10 years ago
Comment on attachment 274206 [details] [diff] [review]
Simplified patch

Once this has proper reviews (I hope this is very soon, we should really get 1.1.4 out the door), please check this in to both MOZILLA_1_8_BRANCH (1.1.5) and GECKO181_20070712_RELBRANCH (1.1.4)
Attachment #274206 - Flags: approval-seamonkey1.1.5+
Attachment #274206 - Flags: approval-seamonkey1.1.4+

Comment 11

10 years ago
Comment on attachment 274206 [details] [diff] [review]
Simplified patch

r=me
Attachment #274206 - Flags: review?(iann_bugzilla) → review+
(Assignee)

Comment 12

10 years ago
Fix checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Keywords: fixed-seamonkey1.1.4, fixed-seamonkey1.1.5
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.