Open
Bug 684035
Opened 13 years ago
Updated 2 years ago
Saving attachment from X-Mozilla-External-Attachment-URL presents no dialog before downloading URL
Categories
(Thunderbird :: Security, defect)
Thunderbird
Security
Tracking
(Not tracked)
NEW
People
(Reporter: bsterne, Unassigned)
Details
(Keywords: privacy)
tagnaq reported this issue to security@m.o. The issue is that when saving an attachment sent with X-Mozilla-External-Attachment-URL, we automatically fetch the URL in the default browser. This could be used, for example, to de-anonymize a user if the email client was using Tor but the browser wasn't. We could put up a dialog before fetching the URL confirming that's what the user wants. PoC: ======================== MIME-Version: 1.0 Date: ... From: ... To: ... Subject: ... Content-Transfer-Encoding: 8bit Content-Type: multipart/mixed; boundary="------------1237" --------------1237 Content-Type: text/plain; name="foo.txt" X-Mozilla-External-Attachment-URL: http://www.example.com/foo.txt Content-Disposition: attachment; filename="foo.txt" --------------1237--
I'm adding the email conversation between security@m.o and me (starting in June 2011) here: ----------------------------------------------------------------------------- Message-ID: <4E0BD901.8030802@gmail.com> Date: Thu, 30 Jun 2011 04:01:37 +0200 From: tagnaq <tagnaq@gmail.com> MIME-Version: 1.0 To: security@mozilla.org Subject: Re: Thunderbird Attachment Handling Bug References: <4E0A318A.50901@mozilla.org> In-Reply-To: <4E0A318A.50901@mozilla.org> Content-Type: multipart/mixed; boundary="------------070808080908070708060807" This is a multi-part message in MIME format. --------------070808080908070708060807 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hi Brandon, I'm sorry for the delay. > > I > > tested with a variety of file types and was not able to observe the > > behavior you are describing, so I will wait to hear back from you with > > additional details. I'm sending you a PoC to reproduce the behaviour. Actually it is very simple, but not only the email content matters. The server needs to send the correct headers/response too (redirect) - which is not a problem for an attacker anyway. The PoC is not harmful, it uses the target url: http://www.example.com/foo.txt which will open firefox with http://www.iana.org/domains/example/ (The domain/webserver is not controlled by me..) The PoC includes Content-Type: Content-Disposition: header fields but their values are not important image/png, application/pdf, etc. would also do it. If you are having problems to reproduce it, let me know, I can also send you an email with the deployed PoC in it - if you explicitly wish. This email contains an attachment, which is not related to this bug but it contains just my public GPG key - please use it for encrypting your replies. (actually that would make a perfect social engineering attack to trick a user into 'Save as...' ;) Please let me know in case you are allocating a CVE for this one. PoC: ======================== MIME-Version: 1.0 Date: ... From: ... To: ... Subject: ... Content-Transfer-Encoding: 8bit Content-Type: multipart/mixed; boundary="------------1237" --------------1237 Content-Type: text/plain; name="foo.txt" X-Mozilla-External-Attachment-URL: http://www.example.com/foo.txt Content-Disposition: attachment; filename="foo.txt" --------------1237-- ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Message-ID: <4E0C9A0F.5060407@mozilla.org> Date: Thu, 30 Jun 2011 08:45:19 -0700 From: Mozilla Security <security@mozilla.org> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: tagnaq <tagnaq@gmail.com> CC: security@mozilla.org Subject: Re: Thunderbird Attachment Handling Bug References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> In-Reply-To: <4E0BD901.8030802@gmail.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hello, Thank you for your reply. I received the PoC, and we will investigate this issue right away. We will be back in touch with you as we determine the right course of action in terms of fixing this bug. Let me know if you have any questions in the meantime. Regards, Brandon Sterne Mozilla Security Group ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Message-ID: <4E198987.2030200@gmail.com> Date: Sun, 10 Jul 2011 13:14:15 +0200 From: tagnaq <tagnaq@gmail.com> MIME-Version: 1.0 To: Mozilla Security <security@mozilla.org> Subject: Re: Thunderbird Attachment Handling Bug References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> In-Reply-To: <4E0C9A0F.5060407@mozilla.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mozilla Security wrote: > > Hello, > > > > Thank you for your reply. I received the PoC, and we will investigate > > this issue right away. We will be back in touch with you as we > > determine the right course of action in terms of fixing this bug. Let > > me know if you have any questions in the meantime. semi-mitigation via preferences change: network.protocol-handler.warn-external.http = true network.protocol-handler.warn-external.https = true this will at least ask the user for confirmation before it will open firefox, but even with this changes the user is not informed that the file is remote. btw: as you might have noticed already, this is not the only part where Thunderbird has problems with HTTP Redirects. regards ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Message-ID: <4E1B19AB.90701@gmail.com> Date: Mon, 11 Jul 2011 17:41:31 +0200 From: tagnaq <tagnaq@gmail.com> MIME-Version: 1.0 To: Mozilla Security <security@mozilla.org> Subject: Re: Thunderbird Attachment Handling Bug References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> In-Reply-To: <4E0C9A0F.5060407@mozilla.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mozilla Security wrote: > > Hello, > > > > Thank you for your reply. I received the PoC, and we will investigate > > this issue right away. We will be back in touch with you as we > > determine the right course of action in terms of fixing this bug. Let > > me know if you have any questions in the meantime. A question about the general handling of the X-Mozilla-External-Attachment-URL header field (an the other X-Mozilla... headers) Is that a remote feature by design or is that supposed to be set by Thunderbird locally only? thanks. ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Message-ID: <4E5EAF6A.5050005@gmail.com> Date: Thu, 01 Sep 2011 00:02:18 +0200 From: tagnaq <tagnaq@gmail.com> MIME-Version: 1.0 To: Mozilla Security <security@mozilla.org> Subject: Re: Thunderbird Attachment Handling Bug References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> In-Reply-To: <4E0C9A0F.5060407@mozilla.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 06/30/2011 05:45 PM, Mozilla Security wrote: > > Hello, > > > > Thank you for your reply. I received the PoC, and we will investigate > > this issue right away. We will be back in touch with you as we > > determine the right course of action in terms of fixing this bug. Let > > me know if you have any questions in the meantime. > > > > Regards, > > > > Brandon Sterne > > Mozilla Security Group Hi, after having a look at Thunderbird 7.0b1 I suppose a fix was commited. I haven't heard from you since June. Did I miss an email? The release notes [1] mention "Several fixes to attachment handling". Can you confirm that 7.0b1 contains a fix? thanks! [1] https://www.mozilla.org/en-US/thunderbird/7.0beta/releasenotes/ ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Message-ID: <4E5EB901.3010108@mozilla.org> Date: Wed, 31 Aug 2011 15:43:13 -0700 From: Mozilla Security <security@mozilla.org> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: tagnaq <tagnaq@gmail.com> CC: security@mozilla.org Subject: Re: Thunderbird Attachment Handling Bug References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com> In-Reply-To: <4E5EAF6A.5050005@gmail.com> X-Enigmail-Version: 1.3.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hello, Here is what I sent you about 15 minutes after the first response: On 06/30/2011 08:58 AM, Mozilla Security wrote: > > Hello again, > > > > As I'm reading through your PoC, I believe the risk of the issue > > you are reporting is lower than I originally thought, and I want to > > make sure I'm not missing some aspect of the issue. > > > > If I understand it correctly, the > > X-Mozilla-External-Attachment-URL header is used to cause the "Save > > As..." action to open the URL in the default browser, *not* to open > > the file using the operating system's default application for that > > type of file. This is an important distinction, as Firefox and > > other browsers are set up to take "safe" actions with the remote > > content based on what type of file it is. In your example, Firefox > > will display the contents of a text file, as that action is not > > considered harmful. If it were an executable, however, we would > > not allow the user to open it directly, but instead would only give > > them the option of saving it locally. > > > > Let me know if I have misunderstood the issue. I want to make sure > > I understand it before I file any bugs in our bug database. > > > > Regards, > > > > Brandon Sterne Mozilla Security Group I hope my question was clear. I don't believe the "fixes to attachment handling" that you referred to in the release notes are related to the issue you reported. Let me know if you have any questions. Regards, -- Brandon Sterne Mozilla Security Group ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Message-ID: <4E5F41B2.5040304@gmail.com> Date: Thu, 01 Sep 2011 10:26:26 +0200 From: tagnaq <tagnaq@gmail.com> MIME-Version: 1.0 To: Mozilla Security <security@mozilla.org> Subject: Re: Thunderbird Attachment Handling Bug References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com> <4E5EB901.3010108@mozilla.org> In-Reply-To: <4E5EB901.3010108@mozilla.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hello, thank you for your prompt answer. On 09/01/2011 12:43 AM, Mozilla Security wrote: > > Here is what I sent you about 15 minutes after the first response: To which email address was this sent? (unfortunately I never received it) > > On 06/30/2011 08:58 AM, Mozilla Security wrote: >> >> Hello again, > > >> >> As I'm reading through your PoC, I believe the risk of the issue >> >> you are reporting is lower than I originally thought, and I want to >> >> make sure I'm not missing some aspect of the issue. > > >> >> If I understand it correctly, the >> >> X-Mozilla-External-Attachment-URL header is used to cause the "Save >> >> As..." action to open the URL in the default browser, *not* to open >> >> the file using the operating system's default application for that >> >> type of file. You understood the bug correctly. >> >> Let me know if I have misunderstood the issue. I want to make sure >> >> I understand it before I file any bugs in our bug database. Please let me know if there is an entry in bugzilla for this bug. > > I hope my question was clear. I don't believe the "fixes to > > attachment handling" that you referred to in the release notes are > > related to the issue you reported. Let me know if you have any questions. That is interesting because the original PoC as it was, is not working anymore with TB 7.0b1 :) kind regards! ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Message-ID: <4E5FB91E.6080306@mozilla.org> Date: Thu, 01 Sep 2011 09:55:58 -0700 From: Mozilla Security <security@mozilla.org> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1 MIME-Version: 1.0 To: tagnaq <tagnaq@gmail.com> CC: security@mozilla.org Subject: Re: Thunderbird Attachment Handling Bug References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com> <4E5EB901.3010108@mozilla.org> <4E5F41B2.5040304@gmail.com> In-Reply-To: <4E5F41B2.5040304@gmail.com> X-Enigmail-Version: 1.3.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/1/11 1:26 AM, tagnaq wrote: > Hello, > > thank you for your prompt answer. > > On 09/01/2011 12:43 AM, Mozilla Security wrote: >> Here is what I sent you about 15 minutes after the first >> response: > > To which email address was this sent? (unfortunately I never > received it) Sorry for the mixup. It does appear that I sent that email to the Mozilla Security address twice, rather than copying you. >> On 06/30/2011 08:58 AM, Mozilla Security wrote: >>> Hello again, >> >>> As I'm reading through your PoC, I believe the risk of the >>> issue you are reporting is lower than I originally thought, and >>> I want to make sure I'm not missing some aspect of the issue. >> >>> If I understand it correctly, the >>> X-Mozilla-External-Attachment-URL header is used to cause the >>> "Save As..." action to open the URL in the default browser, >>> *not* to open the file using the operating system's default >>> application for that type of file. > > You understood the bug correctly. I'm glad to hear that. >>> Let me know if I have misunderstood the issue. I want to make >>> sure I understand it before I file any bugs in our bug >>> database. > > Please let me know if there is an entry in bugzilla for this bug. I never filed a Bugzilla ticket, as I didn't believe there was an actual exploit here. My opinion is that we have the correct behavior in prompting the user to save the file, and _only_ presenting that option when it is a "dangerous" file type. >> I hope my question was clear. I don't believe the "fixes to >> attachment handling" that you referred to in the release notes >> are related to the issue you reported. Let me know if you have >> any questions. > > That is interesting because the original PoC as it was, is not > working anymore with TB 7.0b1 :) How do you mean it is not working anymore? Do we no longer even present the download prompt? > kind regards! Thanks again for contacting us, and let me know if you have any other questions. Regards, Brandon Sterne Mozilla Security Group -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOX7kdAAoJEBAMm4nfVaFGZ+YP+gI/ffH3A+G7NXuuEpQK+gRl lXf4T6g8ziDCIYDg0NCo+z0i+Z3l1mYFzo1BqdyighAVYCJJrmeXRKz2BJz/Q3G+ y10toswyYq/RL3feFcKgOREPeyBqNi7TBGKazgfB6QBu6cBKCgfpP82DiY+arQYy G6oH4gLqjz2Kw+QzrwMD3lzIow8m+bkGAnkRynOAhwNd278p5P8dvq66yqdYSvbu hrUycXODHKHoBe/TTPqf4lujpQHlbn25LeWBHIUSp2bEDf5bmN+v0b9IosEtSu5B AkrGBlvr11gVSit+OlfOmHXIP2mlczynm4Y8Xn/6d5+25oHN5USKpP9n4e80rzGb hLzySBb9ySfLTa/zWPYuMc1XrNO3QRTrAnSQkYRagXX+kR4E9boSwP6vxdyphtWV 98WXlLNEAbSkb2HNFw9cKDsIcwTlbhQSDGrQFBLHUhjzhJlHBPhf86Qo4cgspeEH aVNPKtBMulHevP3G3JNbv7A4NlwljRY8mgibkZgYFGaO5R0NE83Inx+/s31bnKV6 87oD5xefgvoED/TFgBb6UfVDaUVUsGC+qBJm+D8JV+UOZ1nUzqCr4qeUwVtmxw+W 7J2ScHMJj6YcHjAdR9p2vXG4kXzfOl92jhtm33oXrqshnbKwBhUnyePhZH/FUEwV n9EQ1UMw31igGK8TjIwI =vQ4y -----END PGP SIGNATURE----- ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Message-ID: <4E5FE6DC.3010100@gmail.com> Date: Thu, 01 Sep 2011 22:11:08 +0200 From: tagnaq <tagnaq@gmail.com> MIME-Version: 1.0 To: Mozilla Security <security@mozilla.org> Subject: Re: Thunderbird Attachment Handling Bug References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com> <4E5EB901.3010108@mozilla.org> <4E5F41B2.5040304@gmail.com> <4E5FB91E.6080306@mozilla.org> In-Reply-To: <4E5FB91E.6080306@mozilla.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 09/01/2011 06:55 PM, Mozilla Security wrote: > > Sorry for the mixup. It does appear that I sent that email to the > > Mozilla Security address twice, rather than copying you. Ok, that explains why I didn't receive that mail. Was the answer to my mail from the 11th July (Message-ID: <4E1B19AB.90701@gmail.com>) also "lost" this way? >> >> Please let me know if there is an entry in bugzilla for this bug. > > > > I never filed a Bugzilla ticket, as I didn't believe there was an > > actual exploit here. My opinion is that we have the correct behavior > > in prompting the user to save the file The very nature of this bug is the missing prompt. After selecting "Save as..." I would expect Thunderbird to ask me for the location but Thunderbird immediately starts the browser instead (no prompt). I agree that one might say that this is not a security issue, but it is not expected behaviour and at least a bug in my opinion. In my context - I analyzed Thunderbird in context with Tor - this bug allows an attacker to deanonymize its target - if the target tries to save an attachment. ..but after all 7.0b1 seems to fix the issue - or at least prevents the PoC from working (I haven't looked into the changes). kind regards! ps: please encrypt all your replies. ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Message-ID: <4E5FF2D6.9010206@mozilla.org> Date: Thu, 01 Sep 2011 14:02:14 -0700 From: Mozilla Security <security@mozilla.org> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1 MIME-Version: 1.0 To: tagnaq <tagnaq@gmail.com> CC: security@mozilla.org Subject: Re: Thunderbird Attachment Handling Bug References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com> <4E5EB901.3010108@mozilla.org> <4E5F41B2.5040304@gmail.com> <4E5FB91E.6080306@mozilla.org> <4E5FE6DC.3010100@gmail.com> In-Reply-To: <4E5FE6DC.3010100@gmail.com> X-Enigmail-Version: 1.3.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 9/1/11 1:11 PM, tagnaq wrote: > > On 09/01/2011 06:55 PM, Mozilla Security wrote: >> >> Sorry for the mixup. It does appear that I sent that email to >> >> the Mozilla Security address twice, rather than copying you. > > > > Ok, that explains why I didn't receive that mail. > > > > Was the answer to my mail from the 11th July (Message-ID: > > <4E1B19AB.90701@gmail.com>) also "lost" this way? I do not have a message from you on that date nor any message from you with that Message-ID. >>> >>> Please let me know if there is an entry in bugzilla for this >>> >>> bug. >> >> >> >> I never filed a Bugzilla ticket, as I didn't believe there was >> >> an actual exploit here. My opinion is that we have the correct >> >> behavior in prompting the user to save the file > > > > The very nature of this bug is the missing prompt. After selecting > > "Save as..." I would expect Thunderbird to ask me for the location > > but Thunderbird immediately starts the browser instead (no > > prompt). I agree that one might say that this is not a security > > issue, but it is not expected behaviour and at least a bug in my > > opinion. > > > > In my context - I analyzed Thunderbird in context with Tor - this > > bug allows an attacker to deanonymize its target - if the target > > tries to save an attachment. Presumably, the request for the URL would go through the Tor proxy as well, right? Very well. I have filed a bug to track this issue: https://bugzilla.mozilla.org/show_bug.cgi?id=684035 I do not believe it needs to be hidden, as this is more of a privacy issue than a security exploit, plus having the bug be open will increase the probability that someone ultimately fixes it. > > ..but after all 7.0b1 seems to fix the issue - or at least prevents > > the PoC from working (I haven't looked into the changes). I still don't have an answer there. Perhaps one of the developers who investigates the bug will know what changed. > > kind regards! > > > > ps: please encrypt all your replies. Thank you. I will for this and future replies. Best regards, Brandon Sterne Mozilla Security Group ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Message-ID: <4E5FF554.6080102@gmail.com> Date: Thu, 01 Sep 2011 23:12:52 +0200 From: tagnaq <tagnaq@gmail.com> MIME-Version: 1.0 To: Mozilla Security <security@mozilla.org> Subject: Re: Thunderbird Attachment Handling Bug References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com> <4E5EB901.3010108@mozilla.org> <4E5F41B2.5040304@gmail.com> <4E5FB91E.6080306@mozilla.org> <4E5FE6DC.3010100@gmail.com> <4E5FF2D6.9010206@mozilla.org> In-Reply-To: <4E5FF2D6.9010206@mozilla.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 09/01/2011 11:02 PM, Mozilla Security wrote: > > I do not have a message from you on that date nor any message from you > > with that Message-ID. I suppose you didn't get my email from 10th July either. Looks like we're having communication issues.. > > Presumably, the request for the URL would go through the Tor proxy as > > well, right? Very well. I have filed a bug to track this issue: > > https://bugzilla.mozilla.org/show_bug.cgi?id=684035 > > > > I do not believe it needs to be hidden, as this is more of a privacy > > issue than a security exploit, plus having the bug be open will > > increase the probability that someone ultimately fixes it. Thanks for filing the bug. If you agree I'll add our email conversation to the bug. kind regards!
reference: https://bitly.com/qDZm7C (PDF file - section: 4.1.4)
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•