ACROS Security Problem Report #2011-08-18-2 - A binary planting vulnerability in Mozilla Thunderbird allows local or remote (even Internet-based) attackers to deploy and execute malicious code on Windows machines in the context of logged-on users.
50de284a562edf3e280b13793e1465d67dae9d1e5e58327d7f298a855f29a9c1
=====[BEGIN-ACROS-REPORT]=====
PUBLIC
=========================================================================
ACROS Security Problem Report #2011-08-18-2
-------------------------------------------------------------------------
ASPR #2011-08-18-2: Remote Binary Planting in Mozilla Thunderbird
=========================================================================
Document ID: ASPR #2011-08-18-2-PUB
Vendor: Mozilla (https://www.mozilla.org)
Target: Mozilla Thunderbird
Impact: Remote execution of arbitrary code
Severity: Very high
Status: Official fix available, workarounds available
Discovered by: Jure Skofic of ACROS Security
CVSS score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE ID: CVE-2011-2980
CWE ID: CWE-426: Untrusted Search Path
Current version
https://www.acrossecurity.com/aspr/ASPR-2011-08-18-2-PUB.txt
Summary
=======
A "binary planting" [1] vulnerability in Mozilla Thunderbird allows local
or remote (even Internet-based) attackers to deploy and execute malicious
code on Windows machines in the context of logged-on users.
Product Coverage
================
- Mozilla Thunderbird 3.1.11 and earlier versions for Windows
Analysis
========
As a result of an incorrect dynamic link library loading in Mozilla
Thunderbird for Windows, an attacker can cause her malicious DLL to be
loaded and executed from local drives, remote Windows shares, and even
shares located on Internet.
All a remote attacker has to do is plant a malicious DLL with a specific
name on a network share and get the user to open a specially crafted file
from this network location - which should require minimal social
engineering. Since Windows systems by default have the Web Client service
running - which makes remote network shares accessible via WebDAV -, the
malicious DLL can also be deployed from an Internet-based network share as
long as the intermediate firewalls allow outbound HTTP traffic to the
Internet.
A systematic attack could deploy malicious code to a large number of
Windows workstations in a short period of time, possibly as an Internet
worm.
Visit https://www.binaryplanting.com/ for more information on binary
planting vulnerabilities and attacks.
Additional details are available to interested corporate and government
customers under NDA, as public disclosure would reveal too many details on
the vulnerability and unduly accelerate malicious exploitation.
Mitigating Factors
==================
- A firewall blocking outbound WebDAV traffic (in addition to blocking all
Windows Networking protocols) could stop an Internet-based attack.
- Microsoft's CWDIllegalInDllSearch hotfix [2] can stop a network-based
exploitation of this vulnerability.
Solution
========
Mozilla has issued a security bulletin [3] and published a remediated
version of Thunderbird that fixes this issue.
Workaround
==========
- Stopping the Web Client service could stop Internet-based attacks as
long as the network firewall stops outbound Microsoft Networking
protocols. This would not, however, stop remote LAN-based attacks where
the attacker is able to place a malicious DLL on a network share inside
the target (e.g., corporate) network.
- General recommendations for limiting or stopping binary planting attacks
are available at
https://www.binaryplanting.com/guidelinesAdministrators.htm
Related Services
================
ACROS is offering professional consulting on this issue to interested
corporate and government customers. Typical questions we can help you
answer are:
1) To what extent is your organization affected by this issue?
2) Is it possible to get remote code from the Internet launched inside
your network? Can this be demonstrated?
3) Have you adequately applied the remedies to remove the vulnerability?
4) Are there circumstances in your environment that might prevent the
effectiveness of this fix?
5) Are there other workarounds that you could implement to fix this issue
more efficiently and/or inexpensively?
6) Are your systems or applications vulnerable to other similar issues?
Interested parties are encouraged to ask for more information at
security@acrossecurity.com.
Background
==========
ACROS Security has performed an extensive Binary Planting research
project, focused on various types of vulnerabilities where an attacker
with low privileges can place (i.e., "plant") a malicious executable file
(i.e., "binary") to some possibly remote location and get it launched by
some vulnerable application running on user's computer.
The research found that binary planting vulnerabilities are affecting a
large percentage of Windows applications and often allowing for trivial
exploitation: it identified ~520 remotely exploitable bugs in ~200 widely-
used Windows applications. A large majority of these vulnerabilties
remain unfixed and publicly unknown at the time of this writing.
Find out more:
- https://www.binaryplanting.com
- https://blog.acrossecurity.com
Follow ACROS Security on Twitter to get immediate updates on the ongoing
Binary Planting research and other research projects.
https://www.twitter.com/AcrosSecurity
References
==========
[1] Binary Planting - The Official Web Site
https://www.binaryplanting.com/
[2] Microsoft's CWDIllegalInDllSearch hotfix
https://support.microsoft.com/kb/2264107
[3] Mozilla Foundation Security Advisory 2011-32
https://www.mozilla.org/security/announce/2011/mfsa2011-32.html
Contact
=======
ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor
e-mail: security@acrossecurity.com
web: https://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282
ACROS Security PGP Key
https://www.acrossecurity.com/pgpkey.asc
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]
ACROS Security Advisories
https://www.acrossecurity.com/advisories.htm
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.
Revision History
================
August 18, 2011: Initial release
Copyright
=========
(c) 2011 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.
=====[END-ACROS-REPORT]=====