-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-003 Stack-based buffer overflow in Thunderbird ========================================== Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11705 CWE: 121 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird Summary and Impact ================== A stack-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. X41 did not perform a full test or audit on the software. Product Description =================== Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis ======== A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. ~~~ static int icalrecuraddbydayrules(struct icalrecurparser *parser, const char *vals) { short *array = parser->rt.byday; // ... while (n != 0) { // ... if (wd != ICALNOWEEKDAY) { array[i++] = (short) (sign * (wd + 8 * weekno)); array[i] = ICALRECURRENCEARRAYMAX; } } ~~~ Missing sanity checks in `icalrecuradd_bydayrules()can lead to out of bounds write in aarraywhenweekno` takes an invalid value. The issue manifests as an out-of-bounds write in a stack allocated buffer overflow. It is expected that an attacker can exploit this vulnerability to achieve remote code execution when proper stack smashing mitigations are missing. Proof of Concept ================ A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-003 Workarounds =========== A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline ======== 2019-05-23 Issues reported to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH ==================== X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtJsACgkQo5Klpg50 CxALNg//RiEGsoszNtnBzS/tvL5UIniG6oBXHaqu+9XZUJeM+tYzs4Z3JvvHWx1y exGt3nM3PMXgw21lr8NumJGHibMDckIrOIpetphg9GqRfk/iS4NivcHcbhSq7sNz NajGpulM6HtgDflFgpB1GKfekE/DJlbiULq5SBgv/bARRARGGgGNtWp863sQPKG+ rvjSOnTyQw1ypYjozMYrmUasgC4jsLmB0LUIWqHy6lEN5OWehnO9pOpiV8xTA0qc Y9C0IDkf6YGH6xwOxaUXc9HXGBOiQATexNGOtOmWoUsg7cpRdnuoo8YOP9V+kbeX OK301LlXUtt0th5zu6tVGo4WK75sI8gmpxUtcbIyCxTzRC7fqAlbHGaKlQURZ23s /2Tv5pzpBBjIO4T2t8v1O/10pDyfH2zUCXik3il2GY+zpNprR1Va6asB4y3nEPl1 ghLYCjHt58CZJZILMmK/lZap6I3ea9UaW3TsZuC07zv8A9bf+I6xcgA0+4Ms6e0P 1d1T/ygVluKRay5fgiiubTYAqtngFTOXMCioj/JmeDvL+wTYpwduukhZxDuGT6P/ OV0MuvDW1RQpj2hsw+dbcVnE+Y7X/WZDVbq3ByOj5VQz/mTPkcGaJVh37kI9Sp6A YFJYuJrFqmdMFh365aUmAOp26hYdY9++wwWAqAlYAVFjLXst5is= =E1se -----END PGP SIGNATURE-----