Ateeq ur Rehman Khan, a Pakistani security researcher from Vulnerability Laboratory, has identified a critical vulnerability impacting the desktop version of the Thunderbird email client. The issue was reported to Mozilla back in May 2013, but the company confirmed fixing it only earlier this month.The validation and filter bypass vulnerability was successfully reproduced on Thunderbird 17.0.6, which at the time of the testing was the latest version.
The flaw existed in Mozilla's Gecko engine. This means that other applications that use Gecko have been impacted, including SeaMonkey.
According to a report provided by the Vulnerability Lab to Softpedia, experts found that the security controls and filters used in Thunderbird could have been easily bypassed by cybercriminals by using a traditional <object> tag, which, interestingly, was not being filtered by the application.
The flaw was discovered after the researchers attached a debugger to Thunderbird.exe, the application’s main executable, and dug deep to analyze the application’s backend responses.
“By default, HTML tags like <script> and <iframe> are blocked in Thunderbird and get filtered immediately upon insertion,” the report from the company reads.
“However, while drafting a new email message, attackers can easily bypass the current input filters by encoding their payloads with base64 encryption and using the <object> tag and insert malicious scripts / code eg. (script / frame) within the emails and send it to the victims. The exploit gets triggered once the victim decides to reply back and clicks on the ‘Reply’ or ‘Forward’ Buttons.”
The report explains, “After successfully bypassing the input filters, an attacker can inject malicious persistent script code while writing a new email and send it to victims. Interestingly the payload gets filtered during the initial viewing mode however if the victim clicks on Reply or Forward, the injected code gets executed successfully.
“This sort of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete compromise of the end user system. The persistent code injection vulnerability is located within the main application.”
Only low or medium user interaction is needed to exploit this vulnerability. If it’s exploited successfully, the security flaw can be leveraged to run malicious code or scripts within the victim’s Thunderbird desktop application engine.
The bug can also be exploited for phishing attacks, and client-side redirects, but the main attack vector relies on the bug’s persistence, the experts said. The vulnerability was rated as “sec-critical/sec-high” by the Mozilla Security Team after the Vulnerability Lab team demonstrated multiple attacking scenarios.
Tech savvy users can check out the proof-of concept provided to Softpedia by Vulnerability Lab. You can also check out the video POC provided to us by the security research company: