Document Title: =============== Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=953 Mozilla Bug Tracking ID: 875818 Video: http://www.vulnerability-lab.com/get_content.php?id=1182 Partner News (Softpedia): http://news.softpedia.com/news/Critical-Validation-and-Filter-Bypass-Vulnerability-Fixed-in-Thunderbird-420962.shtml Release Date: ============= 2014-01-27 Vulnerability Laboratory ID (VL-ID): ==================================== 953 Common Vulnerability Scoring System: ==================================== 7.3 Product & Service Introduction: =============================== Thunderbird is a free, open-source, cross-platform application for managing email and news feeds. It is a local (rather than a web-based) email application that is powerful yet easy-to-use. Thunderbird has lots of cool features. Thunderbird gives you control and ownership over your email. There are lots of add-ons available for Thunderbird that enable you to extend and customize your email experience. Thunderbird is part of the Mozilla Manifesto, a pledge that describes Mozilla`s commitment to an open, accessible, egalitarian Internet. ( Copy of the Vendor Homepage: http://www.mozilla.org ) ( Copy of the Product Homepage: http://www.mozilla.org/en-US/thunderbird/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a critical validation and filter bypass vulnerability in the official Mozilla Thunderbird 17.0.6 email software. Vulnerability Disclosure Timeline: ================================== 2013-05-10: Researcher Notification & Coordination (Ateeq ur Rehman Khan) 2013-05-11: Vendor Notification (Mozilla Security Incident Team) 2013-05-21: Vendor Response/Feedback (Mozilla Security Incident Team) 2014-01-18: Vendor Fix/Patch (Mozilla Developer Team - Reward 1.500$ SWB) 2014-01-27: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Mozilla Product: Thunderbird - EMail Application 17.0.6 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ It has been discovered that the security controls / filters currently being used in Mozilla Thunderbird application can be easily evaded if an attacker decides to encrypt the payloads with base64 encryption and combine it with the tag. During the testing, it was initially noticed that malicious javascript tags were being filtered / blocked in the Thunderbird application however, Attaching a debugger with the Thunderbird .exe file revealed some very interesting information and gave much better insight behind the actual working of the application. Most of the information revealed is Javascript errors which gave the researcher much hope in believing that the application might actually be vulnerable. By default, HTML tags like When the browser loads the object tag, it loads an object (in our case, it’s a javascript) assigned to its data attribute. This causes execution of our javascript. We were able to bypass the application blacklist filter because of the base64-encoded payload. 1.4 Email Header showing the hidden malicious payload Message-ID: <5195AABB.9000409@ccure.it> Date: Fri, 17 May 2013 08:57:47 +0500 From: Ateeq Khan User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: ateeq Subject: Test X-Enigmail-Version: 1.5.1 Content-Type: multipart/alternative; boundary="------------070707070308040102070208" X-Provags-ID: V02:K0:x1sxyB72JjArK0t7OpMGlUdnbY0vjneQvJdkX/twIfw QgzRaY5JN/SeFJ/fl2yULg+LJCKojYYGFR/8wrcS9hv6B6WWrN mur6d1IsxEn2D2kZt5fQ3tk8Z1qDiEpN5C7vrtOyEFAMJR3NHg jsL6elL9oxDkDRj1rYWvipndH1vonoPT3kjbcmuPsEZwYZ0JkL BjvA5CQE3qDMPgd5nzdT8SqKBRrj9u7m/irxCWHeJcnAG0XBnK txadh05EhpYjzrsz2kd+EyQe8ABh9F+yHQs6PBgIJeMDhm3EmY KPDb5TDHAsnDSD7e3jSaj1t/jhHWc4OA+Okkw+PsyBasdNvzw= = X-UI-Junk: AutoNotJunk -999 (UWL); V01:9SSPrMSv:3OJduITnBKJW2sO9FDRIJW8REKQH86F2DhxLUWcUUFzS1g0JhJ7 GgRkniiwfqYstxpjhSj957gz/8tEx07A4XeXZriK0TD0WhS1DXezTz/TtZsDYDEh hoWYOFl3bb5yC2QDLQsFZpUW8W11Q1ueL83Jxhvv1UmeH1zGnYFLHhAFOpzxH4jN 652vXWc8dXjmX/WjTrvcI6NDjWdTTTfnDoO2PVFxLR+Tspu5HEv+SDuyrKv18Pei ogK+aeYsHnGw+Sv4tyfEE3I/nLbDefudGihBnld6s0loLxOOAGeIYxOeZ4Je+v0h MH9Y6ICIP7qvG/CkWt1PYQDzeNRPMANzlOgD/c//0kMjpKd6GwFWZIgfLyEFGGGA 5ghpw5skyHXrAcf+FBq4ayJpL2UIfGeghWw== X-Nemesis-Spam: whitelist Envelope-To: ateeq@ccure.it This is a multi-part message in MIME format. --------------070707070308040102070208 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -- --------------070707070308040102070208 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
--
--------------070707070308040102070208-- 1.5 Interesting Raw Application Logs captured during the entire process of testing: (4fbc.3828): Break instruction exception - code 80000003 (first chance) eax=fff82000 ebx=00000000 ecx=00000000 edx=7792f85a esi=00000000 edi=00000000 eip=778a000c esp=0ffffd94 ebp=0ffffdc0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!DbgBreakPoint: 778a000c cc int 3 0:040> g [JavaScript Error: "Search service falling back to synchronous initialization at SRCH_SVC__ensureInitialized@resource:///components/nsSearchService.js:2498 @resource:///components/nsSearchService.js:3476 _adjustAcItem@chrome://messenger/content/webSearch.xml:42 @chrome://messenger/content/webSearch.xml:22 " {file: "resource:///components/nsSearchService.js" line: 2499}] [JavaScript Error: "2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression: [" :: line 2790" data: no]" {file: "chrome://global/content/globalOverlay.js" line: 95}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" line: 1736}] [JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" line: 1736}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/folderDisplay.js" line: 2342}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/folderDisplay.js" line: 2342}] [JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}] [JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" line: 1736}] [JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" line: 1736}] [JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messenger.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messenger.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/folderDisplay.js" line: 1621}] [JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://global/content/bindings/toolbar.xml" line: 276}] "chrome://global/content/bindings/general.xml" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] No chrome package registered for chrome://navigator/content/navigator.xul [JavaScript Error: "NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMJSWindow.open]" {file: "data:text/html;base64, PFNDUklQVD4KdmFyIHdpbiA9IHdpbmRvdy5vcGVuKCk7Cm5ldHNjYXBlLnNlY3VyaXR5LlByaXZpbGVnZU1hbmFnZXIuZW5hYmxlUHJpdmlsZWdlKAogIlVuaXZlcnNhbEJyb3dzZXJBY2Nlc3MiKTsKZm9 yICh2YXIgaT0wOyBpIDwgaGlzdG9yeS5sZW5ndGg7IGkrKykgewogd2luLmRvY3VtZW50LndyaXRlbG4oaGlzdG9yeVtpXSArICI8QlI+Iik7Cn0KbmV0c2NhcGUuc2VjdXJpdHkuUHJpdmlsZWdlTWFuYW dlci5yZXZlcnRQcml2aWxlZ2UoCiAiVW5pdmVyc2FsQnJvd3NlckFjY2VzcyIpOwp3aW4uY2xvc2UoKTsKPC9TQ1JJUFQ+" line: 2}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] No chrome package registered for chrome://navigator/content/navigator.xul [JavaScript Error: "NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMJSWindow.open]" {file: "data:text/html;base64, PFNDUklQVD4KdmFyIHdpbiA9IHdpbmRvdy5vcGVuKCk7Cm5ldHNjYXBlLnNlY3VyaXR5LlByaXZpbGVnZU1hbmFnZXIuZW5hYmxlUHJpdmlsZWdlKAogIlVuaXZlcnNhbEJyb3dzZXJBY2Nlc3MiKTsKZm9y ICh2YXIgaT0wOyBpIDwgaGlzdG9yeS5sZW5ndGg7IGkrKykgewogd2luLmRvY3VtZW50LndyaXRlbG4oaGlzdG9yeVtpXSArICI8QlI+Iik7Cn0KbmV0c2NhcGUuc2VjdXJpdHkuUHJpdmlsZWdlTWFuYWdl ci5yZXZlcnRQcml2aWxlZ2UoCiAiVW5pdmVyc2FsQnJvd3NlckFjY2VzcyIpOwp3aW4uY2xvc2UoKTsKPC9TQ1JJUFQ+" line: 2}] [JavaScript Error: "An error occurred executing the cmd_insertHTMLWithDialog command: [Exception... "Could not convert Native argument arg 3 [nsIDOMJSWindow.openDialog]" nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)" location: "JS frame :: chrome://editor/content/ComposerCommands.js :: :: line 2790" data: no]" {file: "chrome://global/content/globalOverlay.js" line: 95}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] Security Error: Content at moz-nullprincipal:{37db781d-d6d3-44bb-ade4-a79dcc63c0dd} may not load or link to about:blank. Security Error: Content at moz-nullprincipal:{44bab10a-4bd8-4cfb-a519-eb2535344039} may not load or link to about:blank [JavaScript Error: "[Exception... "'DB failed getting form autocomplete values' when calling method: [nsIFormAutoComplete::autoCompleteSearch]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "" data: no]"] [JavaScript Error: "aSubject.popup is undefined" {file: "resource:///modules/glodaWebSearch.js" line: 68}] [JavaScript Warning: "The stylesheet data:,*%7bx:askjnexpression(write(2))%7D was loaded as CSS even though its MIME type, "text/plain", is not "text/css"." {file: "about:blank" line: 0}] [JavaScript Warning: "Unknown property 'x'. Declaration dropped." {file: "data:,*%7bx:askjnexpression(write(2))%7D" line: 1] [JavaScript Error: "GenericSendMessage FAILED: [Exception... "Component returned failure code: 0x8055311a [nsIMsgCompose.SendMsg]" nsresult: "0x8055311a ()" location: "JS frame :: chrome://messenger/content/messengercompose/MsgComposeCommands.js :: GenericSendMessage :: line 2814" data: no]" {file: "chrome://messenger/content/messengercompose/MsgComposeCommands.js" line: 2817}] "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "Use of attributes' nodeValue attribute is deprecated. Use value instead." {file: "chrome://messenger/content/messengercompose/MsgComposeCommands.js" line: 3996}] Security Error: Content at moz-nullprincipal:{549c3f5a-560d-4469-9b0f-09f598998b0b} may not load or link to about:blank. Security Error: Content at moz-nullprincipal:{63e416e7-9cc4-458f-b93d-882bb2ad9121} may not load or link to about:blank. [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://global/content/bindings/general.xml" line: 0}] [JavaScript Error: "Search service falling back to synchronous initialization at SRCH_SVC__ensureInitialized@resource:///components/nsSearchService.js:2498 @resource:///components/nsSearchService.js:3476 _adjustAcItem@chrome://messenger/content/webSearch.xml:42 @chrome://messenger/content/webSearch.xml:22 [JavaScript Warning: "The stylesheet data:,*%7bx:askjnexpression(write(2))%7D was loaded as CSS even though its MIME type, "text/plain", is not "text/css"." {file: "about:blank" line: 0}] stylesheet was loaded successfully as text/plain even though it should have been. Solution - Fix & Patch: ======================= 2014-01-18: Vendor Fix/Patch (Mozilla Developer Team - Reward 1.500$ SWB) Security Risk: ============== The security risk of the persistent input validation vulnerabilities and filter bypass is estimated as high(+). Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com