Closed Bug 403242 Opened 17 years ago Closed 13 years ago

Executes arbitrary commands on NNTP server after receiving a badly formatted article

Categories

(MailNews Core :: Networking: NNTP, defect)

Product:
MailNews Core
Component:
Networking: NNTP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking-thunderbird3.1 -)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking-thunderbird3.1 --- -

People

(Reporter: memfis, Unassigned)

References

Details

(Whiteboard: [sg:moderate])

Attachments

(1 file)

Example of an errornous session
1.06 KB, text/plain
Details 
User-Agent:       Opera/9.23 (Windows NT 6.0; U; en)
Build Identifier: 2.0.0.6 (20070728)

While writing an NNTP server as part of my CS studies I came across what I think is a bug in Thunderbird's handling of downloaded articles. There is probably something untypical or maybe even contradictory to the NNTP RFC that I am doing in my server that causes the behaviour, but nevertheless I don't think that Thunderbird should ever execute parts of an article on the remote server as commands, even if the article is corrupted.

Reproducible: Always

Steps to Reproduce:
Act as an NNTP server and reproduce a session like the one attached.
Actual Results:  
Thunderbird first issues a GROUP <Message-ID> command (absolutely no sense in doing that) and then a command equal to mix of Content-Type and Content-Disposition MIME part headers (possibly dangerous and exploitable).

Expected Results:  
The article should be parsed correctly or marked as corrupted if it is not conforming to the NNTP RFC.

This is an excerpt from an example of an errornous session:

GROUP 89550684-f0df-4e9a-aea6-07645e238dd2
411 No such newsgroup
plain&filename=Test.txt
500 Unknown command
QUIT
205 Connection closing

Please see the attachment for the complete session transcipt.

    
  
Version: unspecified → 2.0
Assignee: dveditz → bienvenu
Whiteboard: [sg:investigate]

    
    

    
  
Ah, OK, I see what's going on now. It look's like this is what's happening:

1. We try to get the message with message id <invalid message id>
2. The parser thinks it's a group from the message id
3. Somehow, the latter part is getting leaked.

Marcin, can you post an NNTP log from Thunderbird? I have a theory as to what's going on, I just need to confirm it.
Assignee: bienvenu → nobody
Status: UNCONFIRMED → NEW
Component: Security → Networking: News
Ever confirmed: true
OS: Windows Vista → All
Product: Thunderbird → Core
QA Contact: thunderbird → networking.news
Hardware: PC → All
Version: 2.0 → unspecified
Product: Core → MailNews Core

    
  
blocking-thunderbird3.1: --- → ?
Whiteboard: [sg:investigate] → [sg:moderate]

    
    

    
  
I'd love to see this bug in 3.1, but unless we have reason to believe it's being actively exploited, I don't think we'd hold for it.

Marcin, if you could post the log that Joshua requested, that would enhance the chances of this bug making the release.
blocking-thunderbird3.1: ? → -
Flags: wanted-thunderbird+

    
    

    
  
For what it's worth, this will be fixed by bug 226890, part 4 I think.
Depends on: 226890

    
    

    
  
The patch that fixed this was checked in some time ago; I don't know why I forgot to resolve this as fixed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: