oss-sec mailing list archives
Re: Code execution through MIME-type association of Mono interpreter and security expectations of MIME type associations
From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Thu, 5 Jan 2023 11:02:50 -0500
On Wed, Jan 04, 2023 at 11:47:12PM +0100, Gabriel Corona wrote:
On Debian and derivatives, the mono-runtime-common package associates the application/x-ms-dos-executable MIME type with the Mono CLR interpreter [1]. This makes it very easy for an attacker to trigger arbitrary code execution through programs such as Chromium [2], Firefox [3] and Thunderbird [4] when the Mono packages are installed. This has been fixed in package 6.8.0.105+dfsg-3.3 [5] which is available in Debian testing, Debian Sid and Ubuntu Lunar (23.04). This has currently not been fixed in any stable distribution. On Firefox and Thunderbird, a user interface is used to let the user confirm which program to use to open the file. In this case, we can trick the user into thinking he is about to open the file with a innocuous program by serving the file with a special MIME type such as inode/directory or x-scheme-handler/trash [3,4]. These MIME types are typically associated with a file manager. When called this way, several file managers will try to open the file based on MIME-type associations (where the MIME-type is inferred either from the file name extension or from the file content). Thunar, PCManFM, PCManFM-Qt were found to exhibit this behavior. For Thunar, this behavior has been fixed in v4.16.7 and v4.17.2 [7]. We can use a visually confusable file name such as REPORT.ΡDF (notice the non-ASCII first letter in the extension) in order to trick the user into thinking he is opening a "safe" file type while disabling MIME-type detection based on the file name extension. Moreover, in Firefox and Thunderbird [8], we can corrupt the file association database (handlers.json) in order to display a bogus file type description associated with the inode/directory or x-scheme- handler/trash MIME type. This is done by first serving a "safe" file type (such as a PDF) with this MIME type. This begs several questions about file associations: * Is it legitimate to register file associations for programs which can exbibit arbitrary code execution such as unsandboxed program interpreters?
No. Failure to do this is a major cause of security problems in Microsoft Windows.
* When a program (such as a file manager) is called with a regular file it does not handle, should it spawn a new program for handling the file without user confirmation (as it may be exploited for file type spoofing)?
No, it should not.
* Should a client program reject special/bogus MIME types such as inode/* and x-scheme-handler/* as they are not expected to be used in this context (and it may be exploited for file type spoofing)?
Yes, and there needs to be a database of such types.
I would consider the following behaviors to be vulnerabilities: * Association of the Mono interpreter with a MIME type in the Debian/Ubuntu packages;
I agree.
* Thunar delegates to MIME type associations when opened with a regular file (CVE-2021-32563);
I agree.
* PCManFM delegates to MIME type associations when opened with a regular file;
I agree.
* PCManFM-Qt delegates to MIME type associations when opened with a regular file;
I agree.
* Firefox and Thunderbird accept "special" MIME types (inode/* and x-scheme-handler/*) from remote servers;
Not sure what you mean by “accept”. Do you mean that download should be aborted?
* File type spoofing by corrupting the Firefox and Thunderbird handlers.json database.
I agree.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972146 [2] https://www.gabriel.urdhr.fr/videos/chromium-filetype-spoofing-poc.ogv [3] https://www.gabriel.urdhr.fr/videos/firefox-filetype-spoofing-poc.ogv [4] https://www.gabriel.urdhr.fr/videos/thunderbird-filetype-spoofing-poc.ogv [5] https://packages.debian.org/buster/mono-runtime-common [6] https://packages.ubuntu.com/search?keywords=mono-runtime-common&searchon=names&suite=all§ion=all [7] https://nvd.nist.gov/vuln/detail/CVE-2021-32563 [8] https://www.gabriel.urdhr.fr/videos/firefox-filetype-spoofing-poc2.ogv
Qubes OS should probably register a catchall handler for special MIME types that does nothing. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Attachment:
signature.asc
Description:
Current thread:
- Code execution through MIME-type association of Mono interpreter and security expectations of MIME type associations Gabriel Corona (Jan 05)
- Re: Code execution through MIME-type association of Mono interpreter and security expectations of MIME type associations Demi Marie Obenour (Jan 05)