I’m using Thunderbird as my email client on a daily basis. Not that long ago I’ve been trying to send a PDF document, that I previously got from the Web, as an email attachment. To my surprise the normal drag’n’drop and send routine didn’t do it. A short glance at the filename made it obvious — the percent-encoded forward slashes (%2F) in the filename got in the way.
As probably most of you guys, I’m not spending my day fuzzing stuff, but, probably as most of you again, I’m bumping over a software glitch from time to time. Sometimes, when I’m in the mood, I’m poking the hole to see what happens.
And I was in the mood that day.
As it seems, when an email is glued together (after punching the "send" button), the attachment file name is percent-decoded. This way when trying to send a file attachment named something like this:
..%2F..%2F..%2F..%2F..%2FWINDOWS%2Fwinnt.bmp%00.txt
a victim will most likely end up sending a winnt.bmp file from their windows directory instead of what they actually intended to send. The actual content of a file that the victim is trying to attach is of course irrelevant.
I wouldn’t be me if I left it at this. So, as an enhancement to the basic idea, we can add some more jumps to the upper directory to have better chance that we get to the root level of the file system:
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2FWINDOWS%2Fwinnt.bmp
And to add some more fun we can, say, get ourselves someone's SAM file from the windows\repair directory:
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2FWINDOWS%2Frepair%2Fsam%00.bmp
The .bmp extension ensures proper encoding of a binary file (I've been really impressed how perfectly the %00 gets its job done).
Finally we can do some obfuscation:
%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F
%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%57%49%4E
%44%4F%57%53%2F%72%65%70%61%69%72%2F%73%61%6D%00%.bmp
As for the severity of this flaw, it certainly couldn’t be called serious as 1) it takes a lot of user interaction (i.e. downloading the funny named file and then sending it as an attachment) and 2) an attacker needs to be able to sniff the sent email off the wire. I can think of some highly directed attacks under which this bug can potentially result in exploitable conditions, but my guess is that one would rather find an easier way to get the job done.
Even though it’s nothing serious this time, it gives us some food for thought. Firstly, there is no such thing as "we know this kind of bugs for ages and they don’t happen anymore". Secondly, a well thought over architecture, a robust coding framework and a proper code quality assurance shouldn’t be optional. And finally, you can never have enough of code quality assurance.