Mozilla has fixed a serious vulnerability in its Thunderbird email application that enables an attacker to bypass the filter in Thunderbird that prevents HTML tags from being used in messages. Exploiting the bug could give an attacker the ability to run code on a user’s machine.
The vulnerability in Thunderbird 17.0.6 can be triggered when an attacker injects HTML tags into an email message and a user then replies to or forwards the message. Once the user takes one of those actions, the attacker has the ability to run persistent scripts on the victim’s machine.
“By default, HTML tags like <script> and <iframe> are blocked in Thunderbird and get filtered immediately upon insertion however, While drafting a new email message, attackers can easily bypass the current input filters by encoding their payloads with base64 encryption and using the <object> tag and insert malicious scripts / code eg. (script / frame) within the emails and send it to the victims. The exploit gets triggered once the victim decides to reply back and clicks on the `Reply` or `Forward` Buttons,” the advisory from Vulnerability Laboratory says.
“After successfully bypassing the input filters, an attacker can inject persistent script code while writing a new email and send it to victims. Interestingly the payload gets filtered during the initial viewing mode however if the victim clicks on Reply or Forward, the exploit gets executed successfully. For a POC i will be including multiple examples in this advisory for your review. I was able to run multiple scripts generating strange behaviour on the application which can be seen in the debugging errors which I have attached along with this report.”
The vulnerability is fixed in the most recent versions of Thunderbird, and users should upgrade as soon as possible, as the bug doesn’t require much in the way of user interaction for exploitation.
“These sort of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete compromise of the end user system. The persistent code injection vulnerability is located within the main application. Exploitation of this persistent application vulnerability requires a low or medium user interaction. Successful exploitation of the vulnerability may result in malicious script code being executed in the victims browser resulting in script code injection, persistent phishing, Client side redirects and similar client side attacks,” the advisory says.