SecuriTeam - Mozilla Thunderbird/Firefox Insecure Temporary File Creation

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Firefox is "a fast, full-featured browser that makes browsing more efficient than ever before."
"Thunderbird, our latest email program, includes intelligent spam filters, spell-checking, security, customization, and newsgroups support."

A problem in the way Firefox and Thunderbird create temporary files when viewing files / Email attachments enables an attacker to anticipate and read the files without any restriction.

Credit:
The information has been provided by Martin.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Mozilla version 1.7
* Mozilla Firefox version 0.9 up to 0.9.3 inclusive
* Mozilla Thunderbird version 0.6 up to 0.8 inclusive

When opening an attachment or a link included in an Email, Thunderbird prompts the user with a dialog box giving the choice to either "Save to Disk" or to "Open with" a default program registered to open the specific file type. Likewise, Firefox will prompt the user with the same options when opening a URL pointing to a known MIME type.

For example, if a PDF file is viewed in Thunderbird, one can see the presence of a temporary file in the temporary file folder (Linux for example):
broadcast:/tmp$ ls -l *.pdf
-rw------- 1 broadcast broadcast 2002560 2004-10-24 18:38 wskbq43m.pdf

While the dialog box is still open, the file permissions are OK, and the filename is random (except for the extension). If the file is saved to disk:
broadcast:/tmp$ ls -l *.pdf
ls: *.pdf: No such file or directory

Up until now everything works like a charm. However, when viewing with a specific viewer (such as xpdf for example) the filename changes from:
broadcast:/tmp$ ls -l *.pdf
-rw------- 1 broadcast broadcast 2002560 2004-10-24 18:42 hp1h30si.pd

to:
broadcast:/tmp$ ls -l *.pdf
-rw-r--r-- 1 broadcast broadcast 2002560 2004-10-24 18:42 programming.pdf

The file becomes world readable until the user closes xpdf (or any other associated viewer used). Also, the filename becomes predictable, but if the filename already exists on /tmp, Thunderbird will choose a similar filename.

Vendor Status:
Mozilla developers are aware of the issue (bug 251297) and have fixed it in the CVS. The upcoming Mozilla releases will be immune to this vulnerability.

	SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability
	Skype URI Processing Arbitrary XML File Deletion Vulnerability
	Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability
	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
	Gimp BMP Image Parsing Integer Overflow Vulnerability
	Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation