ASA-2019-00351 – Mozilla Thunderbird: Heap-based buffer overflow in icalmemory_strdup_and_dequote()

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00351

Identifier(s)

ASA-2019-00351, CVE-2019-11704, X41-2019-001, MFSA2019-17

Title

Heap-based buffer overflow in icalmemory_strdup_and_dequote()

Vendor(s)

Mozilla

Product(s)

Mozilla Thunderbird

Affected version(s)

Mozilla Thunderbird versions before 60.7.1

Fixed version(s)

Mozilla Thunderbird version 60.7.1

Proof of concept

Yes

Description

A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47.

The issue can be triggered remotely, when an attacker sends a specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system.

Technical details

A heap-based buffer overflow in icalvalue.c icalmemory_strdup_and_dequote() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string.

static char *icalmemory_strdup_and_dequote(const char *str)
{
    char *out = (char *)malloc(sizeof(char) * strlen(str) + 1);
    char *pout = out;
    // ...
    for (p = str; *p!=0; p++){
        if( *p == '\\')
        {
            p++;
        // ...
        else 
        {
            *pout = *p;
        }
    }

Bounds checking in icalmemory_strdup_and_dequote() can be bypassed when the input p ends with a backslash, which enables an attacker to read out of bounds of the input buffer and writing out of bounds of a heap-allocated output buffer.

The issue manifests in several ways, including out of bounds read and write, null-pointer dereference and frequently leads to heap corruption.

It is expected that an attacker can exploit this vulnerability to achieve remote code execution.

Credits

Luis Merino (X41 D-SEC GmbH)

Reference(s)

ADVISORY X41-2019-001: HEAP-BASED BUFFER OVERFLOW IN THUNDERBIRD
https://www.x41-dsec.de/lab/advisories/x41-2019-001-thunderbird/

Security vulnerabilities fixed in Thunderbird 60.7.1
https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/#CVE-2019-11704

advisories/X41-2019-001 at master · x41sec/advisories
https://github.com/x41sec/advisories/tree/master/X41-2019-001

X41 D-Sec GmbH Security Advisory X41-2019-001: Heap-based buffer overflow in Thunderbird
https://seclists.org/oss-sec/2019/q2/157

Heap buffer overread in libical (icalparser_parse_string function)
https://bugzilla.mozilla.org/show_bug.cgi?id=1280832

CVE-2019-11704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11704

CVE-2019-11704
https://nvd.nist.gov/vuln/detail/CVE-2019-11704

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.