X41 D-Sec GmbH Security Advisory X41-2019-001: Heap-based buffer- overflow in Thunderbird

From: X41 D-Sec GmbH Advisories <advisories@x41-dsec.de>
To: bugtraq@securityfocus.com,fulldisclosure@seclists.org
Cc:
Subject: X41 D-Sec GmbH Security Advisory X41-2019-001: Heap-based buffer- overflow in Thunderbird
Date:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-001

Heap-based buffer overflow in Thunderbird
=========================================
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11704
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==================
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1280832

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A heap-based buffer overflow in icalvalue.c
icalmemory_strdup_and_dequote() can be triggered while parsing a
calendar attachment containing a malformed or specially crafted
string.

~~~
static char *icalmemorystrdupanddequote(const char *str)
{
    char *out = (char *)malloc(sizeof(char) * strlen(str) + 1);
    char *pout = out;
    // ...
    for (p = str; *p!=0; p++){
        if( *p == '\')
        {
            p++;
        // ...
        else
    {
            *pout = *p;
    }
    }
~~~

Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the
inputp` ends with a backslash, which enables an attacker to read out
of bounds of the input buffer and writing out of bounds of a
heap-allocated
output buffer.
The issue manifests in several ways, including out of bounds read and
write, null-pointer dereference and frequently leads to heap corruption.

It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept
================
A reproducer EML file can be found in:

https://github.com/x41sec/advisories/tree/master/X41-2019-001

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2016-06-19 Issue reported by Brandon Perry to the vendor
2019-05-23 Issue reported by X41 D-SEC to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH
====================
X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CsOUACgkQo5Klpg50
CxA8/A/+KajTIDyZwSInPe0uftrEG/c+DNJLQfpH53sBH4qI9G8F+FPquEibdCEm
WIXlbdxxo7iVGkBUxws3+aqOXYtBYRGUQvSMDxcM9bmLWkzIOWCZ7RW4h4KOngWu
NiWqFkdpRLxSjHgEFn3eegvcnwEmpOlV4eBw5oY1rTFCg44hbrLXTKEZqOOVFII/
n754abauYhol2SezeuJL2Du1hf7n0e4T6DPdYsrwB4+3XwAdp6n86hy9DdXniqdk
XvJ2WFTKPljkt2suHmkM28zx8q52O5kMIK0Szc5MVZRiFIrPNh/oYFkCoBVYTqFQ
/ui0YJZOy8O6mA1l7j7A3I+t3DSUu4Cs0fCVCqrBVKm1LNcmnWIyDrGRCpY5WOTI
S8lllwEeUv5UoSaoPAWIXhvo1J4ISUX0qoNWNqtRENJCXjZvsmOvZkwWy0bMdu5g
1iWZ3Ro/hx7eAbakWKPrzRdnLI7wz7bBcnm3BSY4gelAhtTMLds/OSplDUpYL1cI
KRMsnosf2CBiRGlGqdpXVlXcsmi3dozRY7q87Kxh58x50efGTqYQ+yAmR1pMrQgH
O0yWaspEQOnqoPiw9dvT3gTqopk0qNdPWwbr599NAVOP5d0H3AKyeJxzTzVUIsxg
Jynb/E4hQxgyYN8tSqH/2SXqmXiOPJrJgLt0O4KmKVjMwvnS/OU=
=3l5l
-----END PGP SIGNATURE-----





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.