ASA-2019-00353 – Mozilla Thunderbird: Stack-based buffer overflow in icalrecur_add_bydayrules()


Allele Security Alert

ASA-2019-00353

Identifier(s)

ASA-2019-00353, X41-2019-003, CVE-2019-11705, MFSA2019-17

Title

Stack-based buffer overflow in icalrecur_add_bydayrules()

Vendor(s)

Mozilla

Product(s)

Mozilla Thunderbird

Affected version(s)

Mozilla Thunderbird versões anteriores a 60.7.1

Fixed version(s)

Mozilla Thunderbird versão 60.7.1

Proof of concept

Yes

Description

A stack-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47.

The issue can be triggered remotely, when an attacker sends a specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system.

Technical details

A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string.

static int icalrecur_add_bydayrules(struct icalrecur_parser *parser,
const char *vals)
{
    short *array = parser->rt.by_day;
    // ...

    while (n != 0) {
    // ...
        if (wd != ICAL_NO_WEEKDAY) {
            array[i++] = (short) (sign * (wd + 8 * weekno));
            array[i] = ICAL_RECURRENCE_ARRAY_MAX;
        }
    }

Missing sanity checks in icalrecur_add_bydayrules() can lead to out of bounds write in a array when weekno takes an invalid value.

The issue manifests as an out-of-bounds write in a stack allocated buffer overflow.

It is expected that an attacker can exploit this vulnerability to achieve remote code execution when proper stack smashing mitigations are missing.

Credits

Luis Merino (X41 D-SEC GmbH)

Reference(s)

ADVISORY X41-2019-003: STACK-BASED BUFFER OVERFLOW IN THUNDERBIRD
https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird/

Security vulnerabilities fixed in Thunderbird 60.7.1
https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/#CVE-2019-11705

advisories/X41-2019-003 at master · x41sec/advisories
https://github.com/x41sec/advisories/tree/master/X41-2019-003

X41 D-Sec GmbH Security Advisory X41-2019-003: Stack-based buffer overflow in Thunderbird
https://seclists.org/oss-sec/2019/q2/159

CVE-2019-11705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11705

CVE-2019-11705
https://nvd.nist.gov/vuln/detail/CVE-2019-11705

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.