X41 D-Sec GmbH Security Advisory: X41-2019-004

Advisory X41-2019-004: Type confusion in Thunderbird

Severity Rating: Medium

Confirmed Affected Versions: All versions affected

Confirmed Patched Versions: Thunderbird ESR 60.7.XXX

Vendor: Thunderbird

Vendor URL: https://www.thunderbird.net/

Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646

Vector: Incoming mail with calendar attachment

Credit: X41 D-SEC GmbH, Luis Merino

Status: Public

CVE: CVE-2019-11706

CWE: 843

CVSS Score: 6.5

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O

Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird

Summary and Impact

A type confusion has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47.

The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash the process or leak information from the client system via calendar replies.

X41 did not perform a full test or audit on the software.

Product Description

Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize.

Analysis

A type confusion in icalproperty.c icaltimezone_get_vtimezone_properties() can be triggered while parsing a malformed calendar attachment. Missing sanity checks allows a TZID property to be parsed as ICAL_FLOAT_VALUE but it is later used as a string.

The bug manifests with strdup(tzid); being called with tzid containing a bad pointer obtained by casting to char* from a float value, which typically means segfaulting by dereferencing a non-mapped memory page.

An attacker might be able to deliver an input file containing specially crafted float values as TZID properties which could point to arbitrary memory positions. Certain conditions could allow to exfiltrate information via a calendar reply or other undetermined impact.

Proof of Concept

A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-004

Workarounds

A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration.

Timeline

2019-05-30 Issues reported to the vendor

2019-06-07 Vendor reply

2019-06-12 CVE IDs assigned

2019-06-13 Patched Version released

2019-06-13 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.

Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41.

Author: Luis Merino
Date: June 13, 2019