Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y7b0rzSF7dF5Hgdu@itl-email>
Date: Thu, 5 Jan 2023 11:02:50 -0500
From: Demi Marie Obenour <demi@...isiblethingslab.com>
To: oss-security@...ts.openwall.com
Subject: Re: Code execution through MIME-type association of
 Mono interpreter and security expectations of MIME type associations

On Wed, Jan 04, 2023 at 11:47:12PM +0100, Gabriel Corona wrote:
> On Debian and derivatives, the mono-runtime-common package associates
> the application/x-ms-dos-executable MIME type with the Mono CLR
> interpreter [1]. This makes it very easy for an attacker to trigger
> arbitrary code execution through programs such as Chromium [2], Firefox
> [3] and Thunderbird [4] when the Mono packages are installed.
> 
> This has been fixed in package 6.8.0.105+dfsg-3.3 [5] which is available
> in Debian testing, Debian Sid and Ubuntu Lunar (23.04). This has
> currently not been fixed in any stable distribution.
> 
> On Firefox and Thunderbird, a user interface is used to let the user
> confirm which program to use to open the file. In this case, we can
> trick the user into thinking he is about to open the file with a
> innocuous program by serving the file with a special MIME type such as
> inode/directory or x-scheme-handler/trash [3,4]. These MIME types are
> typically associated with a file manager. When called this way, several
> file managers will try to open the file based on MIME-type associations
> (where the MIME-type is inferred either from the file name extension or
> from the file content). Thunar, PCManFM, PCManFM-Qt were found to
> exhibit this behavior.
> 
> For Thunar, this behavior has been fixed in v4.16.7 and v4.17.2 [7].
> 
> We can use a visually confusable file name such as REPORT.ΡDF (notice
> the non-ASCII first letter in the extension) in order to trick the user
> into thinking he is opening a "safe" file type while disabling MIME-type
> detection based on the file name extension.
> 
> Moreover, in Firefox and Thunderbird [8], we can corrupt the file
> association database (handlers.json) in order to display a bogus file
> type description associated with the inode/directory or x-scheme-
> handler/trash MIME type. This is done by first serving a "safe" file
> type (such as a PDF) with this MIME type.
> 
> This begs several questions about file associations:
> 
> * Is it legitimate to register file associations for programs
>   which can exbibit arbitrary code execution such as unsandboxed
>   program interpreters?

No.  Failure to do this is a major cause of security problems in
Microsoft Windows.

> * When a program (such as a file manager) is called with a regular file
>   it does not handle, should it spawn a new program for handling the
>   file without user confirmation (as it may be exploited for file type
>   spoofing)?

No, it should not.

> * Should a client program reject special/bogus MIME types such as
>   inode/* and x-scheme-handler/* as they are not expected to be
>   used in this context (and it may be exploited for file type spoofing)?

Yes, and there needs to be a database of such types.

> I would consider the following behaviors to be vulnerabilities:
> 
> * Association of the Mono interpreter with a MIME type in the
>   Debian/Ubuntu packages;

I agree.

> * Thunar delegates to MIME type associations when opened with a regular
>   file (CVE-2021-32563);

I agree.

> * PCManFM delegates to MIME type associations when opened with a regular
>   file;

I agree.

> * PCManFM-Qt delegates to MIME type associations when opened with a
>   regular file;

I agree.

> * Firefox and Thunderbird accept "special" MIME types (inode/* and
>   x-scheme-handler/*) from remote servers;

Not sure what you mean by “accept”.  Do you mean that download should be
aborted?

> * File type spoofing by corrupting the Firefox and Thunderbird
>   handlers.json database.

I agree.

> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972146
> [2] https://www.gabriel.urdhr.fr/videos/chromium-filetype-spoofing-poc.ogv
> [3] https://www.gabriel.urdhr.fr/videos/firefox-filetype-spoofing-poc.ogv
> [4] https://www.gabriel.urdhr.fr/videos/thunderbird-filetype-spoofing-poc.ogv
> [5] https://packages.debian.org/buster/mono-runtime-common
> [6] https://packages.ubuntu.com/search?keywords=mono-runtime-common&searchon=names&suite=all&section=all
> [7] https://nvd.nist.gov/vuln/detail/CVE-2021-32563
> [8] https://www.gabriel.urdhr.fr/videos/firefox-filetype-spoofing-poc2.ogv

Qubes OS should probably register a catchall handler for special MIME
types that does nothing.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.