ASA-2019-00354 – Mozilla Thunderbird: Type confusion in icaltimezone_get_vtimezone_properties()


Allele Security Alert

ASA-2019-00354

Identifier(s)

ASA-2019-00354, X41-2019-004, CVE-2019-11706, MFSA2019-17

Title

Type confusion in icaltimezone_get_vtimezone_properties()

Vendor(s)

Mozilla

Product(s)

Mozilla Thunderbird

Affected version(s)

Mozilla Thunderbird versions before 60.7.1

Fixed version(s)

Mozilla Thunderbird version 60.7.1

Proof of concept

Yes

Description

A type confusion has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47.

The issue can be triggered remotely, when an attacker sends a specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash the process or leak information from the client system via calendar replies.

Technical details

A type confusion in icalproperty.c icaltimezone_get_vtimezone_properties() can be triggered while parsing a malformed calendar attachment. Missing sanity checks allows a TZID property to be parsed as ICAL_FLOAT_VALUE but it is later used as a string.

The bug manifests with strdup(tzid); being called with tzid containing a bad pointer obtained by casting to char* from a float value, which typically means segfaulting by dereferencing a non-mapped memory page.

An attacker might be able to deliver an input file containing specially crafted float values as TZID properties which could point to arbitrary memory positions. Certain conditions could allow to exfiltrate information via a calendar reply or other undetermined impact.

Credits

Luis Merino (X41 D-SEC GmbH)

Reference(s)

ADVISORY X41-2019-004: TYPE CONFUSION IN THUNDERBIRD
https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird/

Security vulnerabilities fixed in Thunderbird 60.7.1
https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/#CVE-2019-11706

X41 D-Sec GmbH Security Advisory X41-2019-004: Type confusion in Thunderbird
https://seclists.org/oss-sec/2019/q2/160

advisories/X41-2019-004 at master · x41sec/advisories
https://github.com/x41sec/advisories/tree/master/X41-2019-004

CVE-2019-11706
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11706

CVE-2019-11706
https://nvd.nist.gov/vuln/detail/CVE-2019-11706

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.