Discovered a serious vulnerability in Mozilla Thunderbird

Pierluigi Paganini January 29, 2014

A serious vulnerability inside Mozilla Thunderbird Gecko engine allows hackers to insert malicious code into Emails to exploit recipient browser.

A critical vulnerability affects the email client Mozilla Thunderbird 17.0.6, the popular application has a validation and filter bypass vulnerability that could be exploited by hackers to bypass the filter that prevents HTML tags from being used in messages.

This category of vulnerabilities is very insidious, the attackers could exploit it remotely to execute malicious code in the victim’s browser.

The flaw in the Mozilla Thunderbird was discovered by Vulnerability-Lab that issued a Security Advisory, the vulnerability affects Mozilla Gecko engine. Gecko is an open source layout engine used in many applications developed by the Mozilla Foundation and the Mozilla Corporation, the security analysts discovered different Java script errors that could be exploitable by attackers. 
The default behavior for Thunderbird is to block HTML tags, including <iframe> and <script>, the engine filter them, but the hacker can bypass validation filters by encoding their payloads with base64 encryption and combine it with the <object> tag.

“In 2013 Q3 the researcher ateeq ur rehman khan from pakistan karachi reported a remote vulnerability in the official mozilla thunderbird. The issue has been reported with responsible disclosure to the official mozilla corporation bug bounty program. 3 year ago the same problem came up in another location of the thunderbird software application called wiretap. The remote vulnerability has been patched in January after the verification procedure of the mozilla corporation in thunderbird 24. x version.” is reported the Technical Details & Description section of the advisory. 

The malicious code could be injected during the email creation, as part of the body, or signature or using a signed attachment and it is triggered on the victim’s machine when a user replies to the message or forward it.
mozilla thunderbird flaw
“The persistent code injection vulnerability is located within the main application.” said the from the Vulnerability Lab
Following a video POC on the vulnerability in the Mozilla Thunderbird.

The flaw was already fixed in the last version of the open source email client (24.2.0), Mozilla Thunderbird users are warned, they must update it as soon as possible.

Pierluigi Paganini

(Security Affairs –  Mozilla Thunderbird, hacking)

you might also like

leave a comment