684035 - Saving attachment from X-Mozilla-External-Attachment-URL presents no dialog before downloading URL

Status: NEW

(Thunderbird :: Security, defect)

Description

[Brandon Sterne (:bsterne)]

tagnaq reported this issue to security@m.o.  The issue is that when saving an attachment sent with X-Mozilla-External-Attachment-URL, we automatically fetch the URL in the default browser. This could be used, for example, to de-anonymize a user if the email client was using Tor but the browser wasn't.  We could put up a dialog before fetching the URL confirming that's what the user wants.

PoC:
========================
MIME-Version: 1.0
Date: ...
From: ...
To: ...
Subject: ...
Content-Transfer-Encoding: 8bit Content-Type: multipart/mixed; boundary="------------1237"

--------------1237
Content-Type: text/plain; name="foo.txt"
X-Mozilla-External-Attachment-URL: http://www.example.com/foo.txt
Content-Disposition: attachment; filename="foo.txt"

--------------1237--

Comment 1

[tagnaq]

I'm adding the email conversation between security@m.o and me (starting in June 2011) here:

-----------------------------------------------------------------------------
Message-ID: <4E0BD901.8030802@gmail.com>
Date: Thu, 30 Jun 2011 04:01:37 +0200
From: tagnaq <tagnaq@gmail.com>
MIME-Version: 1.0
To: security@mozilla.org
Subject: Re: Thunderbird Attachment Handling Bug
References: <4E0A318A.50901@mozilla.org>
In-Reply-To: <4E0A318A.50901@mozilla.org>
Content-Type: multipart/mixed;
 boundary="------------070808080908070708060807"

This is a multi-part message in MIME format.
--------------070808080908070708060807
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit



Hi Brandon,

I'm sorry for the delay.

> > I
> > tested with a variety of file types and was not able to observe the
> > behavior you are describing, so I will wait to hear back from you with
> > additional details.
I'm sending you a PoC to reproduce the behaviour. Actually it is very
simple, but not only the email content matters. The server needs to send
the correct headers/response too (redirect) - which is not a problem for
an attacker anyway.

The PoC is not harmful, it uses the target url:
http://www.example.com/foo.txt
which will open firefox with http://www.iana.org/domains/example/
(The domain/webserver is not controlled by me..)

The PoC includes
Content-Type:
Content-Disposition:
header fields but their values are not important
image/png, application/pdf, etc. would also do it.

If you are having problems to reproduce it, let me know,
I can also send you an email with the deployed PoC in it - if you
explicitly wish.

This email contains an attachment, which is not related to this bug but
it contains just my public GPG key - please use it for encrypting your
replies.
(actually that would make a perfect social engineering attack to trick a
user into 'Save as...' ;)

Please let me know in case you are allocating a CVE for this one.

PoC:
========================
MIME-Version: 1.0
Date: ...
From: ...
To: ...
Subject: ...
Content-Transfer-Encoding: 8bit
Content-Type: multipart/mixed;
 boundary="------------1237"

--------------1237
Content-Type: text/plain; name="foo.txt"
X-Mozilla-External-Attachment-URL: http://www.example.com/foo.txt
Content-Disposition: attachment; filename="foo.txt"

--------------1237--



-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Message-ID: <4E0C9A0F.5060407@mozilla.org>
Date: Thu, 30 Jun 2011 08:45:19 -0700
From: Mozilla Security <security@mozilla.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: tagnaq <tagnaq@gmail.com>
CC: security@mozilla.org
Subject: Re: Thunderbird Attachment Handling Bug
References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com>
In-Reply-To: <4E0BD901.8030802@gmail.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit


Hello,

Thank you for your reply.  I received the PoC, and we will investigate
this issue right away.  We will be back in touch with you as we
determine the right course of action in terms of fixing this bug.  Let
me know if you have any questions in the meantime.

Regards,

Brandon Sterne
Mozilla Security Group

-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Message-ID: <4E198987.2030200@gmail.com>
Date: Sun, 10 Jul 2011 13:14:15 +0200
From: tagnaq <tagnaq@gmail.com>
MIME-Version: 1.0
To: Mozilla Security <security@mozilla.org>
Subject: Re: Thunderbird Attachment Handling Bug
References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org>
In-Reply-To: <4E0C9A0F.5060407@mozilla.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit


Mozilla Security wrote:
> > Hello,
> > 
> > Thank you for your reply.  I received the PoC, and we will investigate
> > this issue right away.  We will be back in touch with you as we
> > determine the right course of action in terms of fixing this bug.  Let
> > me know if you have any questions in the meantime.
semi-mitigation via preferences change:
network.protocol-handler.warn-external.http = true
network.protocol-handler.warn-external.https = true

this will at least ask the user for confirmation before it will open
firefox, but even with this changes the user is not informed that the
file is remote.

btw: as you might have noticed already, this is not the only part where
Thunderbird has problems with HTTP Redirects.

regards



-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Message-ID: <4E1B19AB.90701@gmail.com>
Date: Mon, 11 Jul 2011 17:41:31 +0200
From: tagnaq <tagnaq@gmail.com>
MIME-Version: 1.0
To: Mozilla Security <security@mozilla.org>
Subject: Re: Thunderbird Attachment Handling Bug
References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org>
In-Reply-To: <4E0C9A0F.5060407@mozilla.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit


Mozilla Security wrote:
> > Hello,
> > 
> > Thank you for your reply.  I received the PoC, and we will investigate
> > this issue right away.  We will be back in touch with you as we
> > determine the right course of action in terms of fixing this bug.  Let
> > me know if you have any questions in the meantime.
A question about the general handling of the
X-Mozilla-External-Attachment-URL header field (an the other
X-Mozilla... headers)
Is that a remote feature by design or is that supposed to be set by
Thunderbird locally only?

thanks.

-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Message-ID: <4E5EAF6A.5050005@gmail.com>
Date: Thu, 01 Sep 2011 00:02:18 +0200
From: tagnaq <tagnaq@gmail.com>
MIME-Version: 1.0
To: Mozilla Security <security@mozilla.org>
Subject: Re: Thunderbird Attachment Handling Bug
References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org>
In-Reply-To: <4E0C9A0F.5060407@mozilla.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On 06/30/2011 05:45 PM, Mozilla Security wrote:
> > Hello,
> > 
> > Thank you for your reply.  I received the PoC, and we will investigate
> > this issue right away.  We will be back in touch with you as we
> > determine the right course of action in terms of fixing this bug.  Let
> > me know if you have any questions in the meantime.
> > 
> > Regards,
> > 
> > Brandon Sterne
> > Mozilla Security Group
Hi,

after having a look at Thunderbird 7.0b1 I suppose a fix was commited. I
haven't heard from you since June. Did I miss an email?

The release notes [1] mention "Several fixes to attachment handling".
Can you confirm that 7.0b1 contains a fix?

thanks!

[1] https://www.mozilla.org/en-US/thunderbird/7.0beta/releasenotes/

-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Message-ID: <4E5EB901.3010108@mozilla.org>
Date: Wed, 31 Aug 2011 15:43:13 -0700
From: Mozilla Security <security@mozilla.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: tagnaq <tagnaq@gmail.com>
CC: security@mozilla.org
Subject: Re: Thunderbird Attachment Handling Bug
References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com>
In-Reply-To: <4E5EAF6A.5050005@gmail.com>
X-Enigmail-Version: 1.3.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Hello,

Here is what I sent you about 15 minutes after the first response:

On 06/30/2011 08:58 AM, Mozilla Security wrote:
> > Hello again,
> >
> > As I'm reading through your PoC, I believe the risk of the issue
> > you are reporting is lower than I originally thought, and I want to
> > make sure I'm not missing some aspect of the issue.
> >
> > If I understand it correctly, the
> > X-Mozilla-External-Attachment-URL header is used to cause the "Save
> > As..." action to open the URL in the default browser, *not* to open
> > the file using the operating system's default application for that
> > type of file.  This is an important distinction, as Firefox and
> > other browsers are set up to take "safe" actions with the remote
> > content based on what type of file it is.  In your example, Firefox
> > will display the contents of a text file, as that action is not
> > considered harmful.  If it were an executable, however, we would
> > not allow the user to open it directly, but instead would only give
> > them the option of saving it locally.
> >
> > Let me know if I have misunderstood the issue.  I want to make sure
> > I understand it before I file any bugs in our bug database.
> >
> > Regards,
> >
> > Brandon Sterne Mozilla Security Group

I hope my question was clear.  I don't believe the "fixes to
attachment handling" that you referred to in the release notes are
related to the issue you reported.  Let me know if you have any questions.

Regards,

-- Brandon Sterne Mozilla Security Group 

-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Message-ID: <4E5F41B2.5040304@gmail.com>
Date: Thu, 01 Sep 2011 10:26:26 +0200
From: tagnaq <tagnaq@gmail.com>
MIME-Version: 1.0
To: Mozilla Security <security@mozilla.org>
Subject: Re: Thunderbird Attachment Handling Bug
References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com> <4E5EB901.3010108@mozilla.org>
In-Reply-To: <4E5EB901.3010108@mozilla.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit


Hello,

thank you for your prompt answer.

On 09/01/2011 12:43 AM, Mozilla Security wrote:
> > Here is what I sent you about 15 minutes after the first response:

To which email address was this sent? (unfortunately I never received it)

> > On 06/30/2011 08:58 AM, Mozilla Security wrote:
>> >> Hello again,
> > 
>> >> As I'm reading through your PoC, I believe the risk of the issue
>> >> you are reporting is lower than I originally thought, and I want to
>> >> make sure I'm not missing some aspect of the issue.
> > 
>> >> If I understand it correctly, the
>> >> X-Mozilla-External-Attachment-URL header is used to cause the "Save
>> >> As..." action to open the URL in the default browser, *not* to open
>> >> the file using the operating system's default application for that
>> >> type of file.  

You understood the bug correctly.

>> >> Let me know if I have misunderstood the issue.  I want to make sure
>> >> I understand it before I file any bugs in our bug database.

Please let me know if there is an entry in bugzilla for this bug.


> > I hope my question was clear.  I don't believe the "fixes to
> > attachment handling" that you referred to in the release notes are
> > related to the issue you reported.  Let me know if you have any questions.

That is interesting because the original PoC as it was, is not working
anymore with TB 7.0b1 :)

kind regards!

-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Message-ID: <4E5FB91E.6080306@mozilla.org>
Date: Thu, 01 Sep 2011 09:55:58 -0700
From: Mozilla Security <security@mozilla.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1
MIME-Version: 1.0
To: tagnaq <tagnaq@gmail.com>
CC: security@mozilla.org
Subject: Re: Thunderbird Attachment Handling Bug
References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com> <4E5EB901.3010108@mozilla.org> <4E5F41B2.5040304@gmail.com>
In-Reply-To: <4E5F41B2.5040304@gmail.com>
X-Enigmail-Version: 1.3.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/1/11 1:26 AM, tagnaq wrote:
> Hello,
> 
> thank you for your prompt answer.
> 
> On 09/01/2011 12:43 AM, Mozilla Security wrote:
>> Here is what I sent you about 15 minutes after the first
>> response:
> 
> To which email address was this sent? (unfortunately I never
> received it)

Sorry for the mixup.  It does appear that I sent that email to the
Mozilla Security address twice, rather than copying you.

>> On 06/30/2011 08:58 AM, Mozilla Security wrote:
>>> Hello again,
>> 
>>> As I'm reading through your PoC, I believe the risk of the
>>> issue you are reporting is lower than I originally thought, and
>>> I want to make sure I'm not missing some aspect of the issue.
>> 
>>> If I understand it correctly, the 
>>> X-Mozilla-External-Attachment-URL header is used to cause the
>>> "Save As..." action to open the URL in the default browser,
>>> *not* to open the file using the operating system's default
>>> application for that type of file.
> 
> You understood the bug correctly.

I'm glad to hear that.

>>> Let me know if I have misunderstood the issue.  I want to make
>>> sure I understand it before I file any bugs in our bug
>>> database.
> 
> Please let me know if there is an entry in bugzilla for this bug.

I never filed a Bugzilla ticket, as I didn't believe there was an
actual exploit here.  My opinion is that we have the correct behavior
in prompting the user to save the file, and _only_ presenting that
option when it is a "dangerous" file type.

>> I hope my question was clear.  I don't believe the "fixes to 
>> attachment handling" that you referred to in the release notes
>> are related to the issue you reported.  Let me know if you have
>> any questions.
> 
> That is interesting because the original PoC as it was, is not
> working anymore with TB 7.0b1 :)

How do you mean it is not working anymore?  Do we no longer even
present the download prompt?

> kind regards!

Thanks again for contacting us, and let me know if you have any other
questions.

Regards,

Brandon Sterne
Mozilla Security Group
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOX7kdAAoJEBAMm4nfVaFGZ+YP+gI/ffH3A+G7NXuuEpQK+gRl
lXf4T6g8ziDCIYDg0NCo+z0i+Z3l1mYFzo1BqdyighAVYCJJrmeXRKz2BJz/Q3G+
y10toswyYq/RL3feFcKgOREPeyBqNi7TBGKazgfB6QBu6cBKCgfpP82DiY+arQYy
G6oH4gLqjz2Kw+QzrwMD3lzIow8m+bkGAnkRynOAhwNd278p5P8dvq66yqdYSvbu
hrUycXODHKHoBe/TTPqf4lujpQHlbn25LeWBHIUSp2bEDf5bmN+v0b9IosEtSu5B
AkrGBlvr11gVSit+OlfOmHXIP2mlczynm4Y8Xn/6d5+25oHN5USKpP9n4e80rzGb
hLzySBb9ySfLTa/zWPYuMc1XrNO3QRTrAnSQkYRagXX+kR4E9boSwP6vxdyphtWV
98WXlLNEAbSkb2HNFw9cKDsIcwTlbhQSDGrQFBLHUhjzhJlHBPhf86Qo4cgspeEH
aVNPKtBMulHevP3G3JNbv7A4NlwljRY8mgibkZgYFGaO5R0NE83Inx+/s31bnKV6
87oD5xefgvoED/TFgBb6UfVDaUVUsGC+qBJm+D8JV+UOZ1nUzqCr4qeUwVtmxw+W
7J2ScHMJj6YcHjAdR9p2vXG4kXzfOl92jhtm33oXrqshnbKwBhUnyePhZH/FUEwV
n9EQ1UMw31igGK8TjIwI
=vQ4y
-----END PGP SIGNATURE-----

-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Message-ID: <4E5FE6DC.3010100@gmail.com>
Date: Thu, 01 Sep 2011 22:11:08 +0200
From: tagnaq <tagnaq@gmail.com>
MIME-Version: 1.0
To: Mozilla Security <security@mozilla.org>
Subject: Re: Thunderbird Attachment Handling Bug
References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com> <4E5EB901.3010108@mozilla.org> <4E5F41B2.5040304@gmail.com> <4E5FB91E.6080306@mozilla.org>
In-Reply-To: <4E5FB91E.6080306@mozilla.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On 09/01/2011 06:55 PM, Mozilla Security wrote:
> > Sorry for the mixup.  It does appear that I sent that email to the
> > Mozilla Security address twice, rather than copying you.
Ok, that explains why I didn't receive that mail.

Was the answer to my mail from the 11th July  (Message-ID:
<4E1B19AB.90701@gmail.com>) also "lost" this way?

>> >> Please let me know if there is an entry in bugzilla for this bug.
> > 
> > I never filed a Bugzilla ticket, as I didn't believe there was an
> > actual exploit here.  My opinion is that we have the correct behavior
> > in prompting the user to save the file
The very nature of this bug is the missing prompt. After selecting "Save
as..." I would expect Thunderbird to ask me for the location but
Thunderbird immediately starts the browser instead (no prompt).
I agree that one might say that this is not a security issue, but it is
not expected behaviour and at least a bug in my opinion.

In my context - I analyzed Thunderbird in context with Tor - this bug
allows an attacker to deanonymize its target - if the target tries to
save an attachment.

..but after all 7.0b1 seems to fix the issue - or at least prevents the
PoC from working (I haven't looked into the changes).

kind regards!

ps: please encrypt all your replies.

-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Message-ID: <4E5FF2D6.9010206@mozilla.org>
Date: Thu, 01 Sep 2011 14:02:14 -0700
From: Mozilla Security <security@mozilla.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1
MIME-Version: 1.0
To: tagnaq <tagnaq@gmail.com>
CC: security@mozilla.org
Subject: Re: Thunderbird Attachment Handling Bug
References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com> <4E5EB901.3010108@mozilla.org> <4E5F41B2.5040304@gmail.com> <4E5FB91E.6080306@mozilla.org> <4E5FE6DC.3010100@gmail.com>
In-Reply-To: <4E5FE6DC.3010100@gmail.com>
X-Enigmail-Version: 1.3.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit


On 9/1/11 1:11 PM, tagnaq wrote:
> > On 09/01/2011 06:55 PM, Mozilla Security wrote:
>> >> Sorry for the mixup.  It does appear that I sent that email to
>> >> the Mozilla Security address twice, rather than copying you.
> > 
> > Ok, that explains why I didn't receive that mail.
> > 
> > Was the answer to my mail from the 11th July  (Message-ID: 
> > <4E1B19AB.90701@gmail.com>) also "lost" this way?

I do not have a message from you on that date nor any message from you
with that Message-ID.

>>> >>> Please let me know if there is an entry in bugzilla for this
>>> >>> bug.
>> >> 
>> >> I never filed a Bugzilla ticket, as I didn't believe there was
>> >> an actual exploit here.  My opinion is that we have the correct
>> >> behavior in prompting the user to save the file
> > 
> > The very nature of this bug is the missing prompt. After selecting
> > "Save as..." I would expect Thunderbird to ask me for the location
> > but Thunderbird immediately starts the browser instead (no
> > prompt). I agree that one might say that this is not a security
> > issue, but it is not expected behaviour and at least a bug in my
> > opinion.
> > 
> > In my context - I analyzed Thunderbird in context with Tor - this
> > bug allows an attacker to deanonymize its target - if the target
> > tries to save an attachment.
Presumably, the request for the URL would go through the Tor proxy as
well, right?  Very well.  I have filed a bug to track this issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=684035

I do not believe it needs to be hidden, as this is more of a privacy
issue than a security exploit, plus having the bug be open will
increase the probability that someone ultimately fixes it.

> > ..but after all 7.0b1 seems to fix the issue - or at least prevents
> > the PoC from working (I haven't looked into the changes).
I still don't have an answer there. Perhaps one of the developers who
investigates the bug will know what changed.

> > kind regards!
> > 
> > ps: please encrypt all your replies.
Thank you. I will for this and future replies.


Best regards,

Brandon Sterne
Mozilla Security Group
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Message-ID: <4E5FF554.6080102@gmail.com>
Date: Thu, 01 Sep 2011 23:12:52 +0200
From: tagnaq <tagnaq@gmail.com>
MIME-Version: 1.0
To: Mozilla Security <security@mozilla.org>
Subject: Re: Thunderbird Attachment Handling Bug
References: <4E0A318A.50901@mozilla.org> <4E0BD901.8030802@gmail.com> <4E0C9A0F.5060407@mozilla.org> <4E5EAF6A.5050005@gmail.com> <4E5EB901.3010108@mozilla.org> <4E5F41B2.5040304@gmail.com> <4E5FB91E.6080306@mozilla.org> <4E5FE6DC.3010100@gmail.com> <4E5FF2D6.9010206@mozilla.org>
In-Reply-To: <4E5FF2D6.9010206@mozilla.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On 09/01/2011 11:02 PM, Mozilla Security wrote:
> > I do not have a message from you on that date nor any message from you
> > with that Message-ID.
I suppose you didn't get my email from 10th July either.
Looks like we're having communication issues..


> > Presumably, the request for the URL would go through the Tor proxy as
> > well, right?  Very well.  I have filed a bug to track this issue:
> > https://bugzilla.mozilla.org/show_bug.cgi?id=684035
> > 
> > I do not believe it needs to be hidden, as this is more of a privacy
> > issue than a security exploit, plus having the bug be open will
> > increase the probability that someone ultimately fixes it.
Thanks for filing the bug.
If you agree I'll add our email conversation to the bug.

kind regards!

Comment 2

[tagnaq]

reference:
https://bitly.com/qDZm7C (PDF file - section: 4.1.4)