lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 13 Jun 2019 22:39:56 +0200
From: X41 D-Sec GmbH Advisories <advisories@...-dsec.de>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: X41 D-Sec GmbH Security Advisory X41-2019-003: Stack-based buffer
 overflow in Thunderbird

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-003

Stack-based buffer overflow in Thunderbird
==========================================
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11705
CWE: 121
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird

Summary and Impact
==================
A stack-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.
X41 did not perform a full test or audit on the software.

Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis
========
A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules()
can be triggered while parsing a calendar attachment containing a
malformed or specially crafted string.

~~~
static int icalrecuraddbydayrules(struct icalrecurparser *parser,
                                    const char *vals)
{
    short *array = parser->rt.byday;
    // ...
    while (n != 0) {
    // ...
        if (wd != ICALNOWEEKDAY) {
            array[i++] = (short) (sign * (wd + 8 * weekno));
            array[i] = ICALRECURRENCEARRAYMAX;
    }
}
~~~

Missing sanity checks in `icalrecuradd_bydayrules()can lead to
out of bounds write in aarraywhenweekno` takes an invalid value.
The issue manifests as an out-of-bounds write in a stack allocated
buffer overflow.
It is expected that an attacker can exploit this vulnerability to
achieve remote code execution when proper stack smashing mitigations
are missing.

Proof of Concept
================
A reproducer eml file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-003

Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline
========
2019-05-23 Issues reported to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH
====================
X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.

Custom research and a IT security consulting and support services are
core competencies of X41.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtJsACgkQo5Klpg50
CxALNg//RiEGsoszNtnBzS/tvL5UIniG6oBXHaqu+9XZUJeM+tYzs4Z3JvvHWx1y
exGt3nM3PMXgw21lr8NumJGHibMDckIrOIpetphg9GqRfk/iS4NivcHcbhSq7sNz
NajGpulM6HtgDflFgpB1GKfekE/DJlbiULq5SBgv/bARRARGGgGNtWp863sQPKG+
rvjSOnTyQw1ypYjozMYrmUasgC4jsLmB0LUIWqHy6lEN5OWehnO9pOpiV8xTA0qc
Y9C0IDkf6YGH6xwOxaUXc9HXGBOiQATexNGOtOmWoUsg7cpRdnuoo8YOP9V+kbeX
OK301LlXUtt0th5zu6tVGo4WK75sI8gmpxUtcbIyCxTzRC7fqAlbHGaKlQURZ23s
/2Tv5pzpBBjIO4T2t8v1O/10pDyfH2zUCXik3il2GY+zpNprR1Va6asB4y3nEPl1
ghLYCjHt58CZJZILMmK/lZap6I3ea9UaW3TsZuC07zv8A9bf+I6xcgA0+4Ms6e0P
1d1T/ygVluKRay5fgiiubTYAqtngFTOXMCioj/JmeDvL+wTYpwduukhZxDuGT6P/
OV0MuvDW1RQpj2hsw+dbcVnE+Y7X/WZDVbq3ByOj5VQz/mTPkcGaJVh37kI9Sp6A
YFJYuJrFqmdMFh365aUmAOp26hYdY9++wwWAqAlYAVFjLXst5is=
=E1se
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ