Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : thunderbird vulnerabilities (USN-1611-1) - Nessus
Critical Plugin ID: 62548This page contains detailed information about the Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : thunderbird vulnerabilities (USN-1611-1) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 62548
Name: Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : thunderbird vulnerabilities (USN-1611-1)
Filename: ubuntu_USN-1611-1.nasl
Vulnerability Published: 2012-10-10
This Plugin Published: 2012-10-15
Last Modification Time: 2019-09-19
Plugin Version: 1.11
Plugin Type: local
Plugin Family: Ubuntu Local Security Checks
Dependencies:
ssh_get_info.nasl
Required KB Items [?]: Host/cpu, Host/Debian/dpkg-l, Host/Ubuntu, Host/Ubuntu/release
Vulnerability Information
Severity: Critical
Vulnerability Published: 2012-10-10
Patch Published: 2012-10-12
CVE [?]: CVE-2012-3982, CVE-2012-3983, CVE-2012-3984, CVE-2012-3985, CVE-2012-3986, CVE-2012-3988, CVE-2012-3989, CVE-2012-3990, CVE-2012-3991, CVE-2012-3992, CVE-2012-3993, CVE-2012-3994, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4184, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188, CVE-2012-4191, CVE-2012-4192, CVE-2012-4193
CPE [?]: cpe:/o:canonical:ubuntu_linux:10.04:-:lts, cpe:/o:canonical:ubuntu_linux:11.04, cpe:/o:canonical:ubuntu_linux:11.10, cpe:/o:canonical:ubuntu_linux:12.04:-:lts, p-cpe:/a:canonical:ubuntu_linux:thunderbird
Exploited by Malware: True
Synopsis
The remote Ubuntu host is missing a security-related patch.
Description
Henrik Skupin, Jesse Ruderman, Christian Holler, Soroush Dalili and others discovered several memory corruption flaws in Thunderbird. If a user were tricked into opening a malicious website and had JavaScript enabled, an attacker could exploit these to execute arbitrary JavaScript code within the context of another website or arbitrary code as the user invoking the program. (CVE-2012-3982, CVE-2012-3983, CVE-2012-3988, CVE-2012-3989, CVE-2012-4191)
David Bloom and Jordi Chancel discovered that Thunderbird did not always properly handle the <select> element. If a user were tricked into opening a malicious website and had JavaScript enabled, a remote attacker could exploit this to conduct URL spoofing and clickjacking attacks. (CVE-2012-3984)
Collin Jackson discovered that Thunderbird did not properly follow the HTML5 specification for document.domain behavior. If a user were tricked into opening a malicious website and had JavaScript enabled, a remote attacker could exploit this to conduct cross-site scripting (XSS) attacks via JavaScript execution. (CVE-2012-3985)
Johnny Stenback discovered that Thunderbird did not properly perform security checks on test methods for DOMWindowUtils. (CVE-2012-3986)
Alice White discovered that the security checks for GetProperty could be bypassed when using JSAPI. If a user were tricked into opening a specially crafted web page and had JavaScript enabled, a remote attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2012-3991)
Mariusz Mlynski discovered a history state error in Thunderbird. If a user were tricked into opening a malicious website and had JavaScript enabled, a remote attacker could exploit this to spoof the location property to inject script or intercept posted data. (CVE-2012-3992)
Mariusz Mlynski and others discovered several flaws in Thunderbird that allowed a remote attacker to conduct cross-site scripting (XSS) attacks. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page and had JavaScript enabled, a remote attacker could exploit these to modify the contents, or steal confidential data, within the same domain. (CVE-2012-3993, CVE-2012-3994, CVE-2012-4184)
Abhishek Arya, Atte Kettunen and others discovered several memory flaws in Thunderbird when using the Address Sanitizer tool. If a user were tricked into opening a malicious website and had JavaScript enabled, an attacker could exploit these to execute arbitrary JavaScript code within the context of another website or execute arbitrary code as the user invoking the program. (CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188)
It was discovered that Thunderbird allowed improper access to the Location object. An attacker could exploit this to obtain sensitive information. Under certain circumstances, a remote attacker could use this vulnerability to potentially execute arbitrary code as the user invoking the program. (CVE-2012-4192, CVE-2012-4193).
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
Update the affected thunderbird package.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : thunderbird vulnerabilities (USN-1611-1) vulnerability:
- Metasploit: exploit/multi/browser/firefox_proto_crmfrequest
[Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution] - Metasploit: exploit/multi/browser/firefox_proto_crmfrequest
[Firefox 5.0 - 15.0.1 exposedProps XCS Code Execution] - Exploit-DB: exploits/multiple/local/30474.rb
[EDB-30474: Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)] - GitHub: https://github.com/lukeber4/usn-search
[CVE-2012-3991]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
| CVSS Base Score: | 10.0 (High) |
| Impact Subscore: | 10.0 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 8.7 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.7 (High) |
Go back to menu.
Plugin Source
This is the ubuntu_USN-1611-1.nasl nessus plugin source code. Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-1611-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include("compat.inc");
if (description)
{
script_id(62548);
script_version("1.11");
script_cvs_date("Date: 2019/09/19 12:54:28");
script_cve_id("CVE-2012-3982", "CVE-2012-3983", "CVE-2012-3984", "CVE-2012-3985", "CVE-2012-3986", "CVE-2012-3988", "CVE-2012-3989", "CVE-2012-3990", "CVE-2012-3991", "CVE-2012-3992", "CVE-2012-3993", "CVE-2012-3994", "CVE-2012-3995", "CVE-2012-4179", "CVE-2012-4180", "CVE-2012-4181", "CVE-2012-4182", "CVE-2012-4183", "CVE-2012-4184", "CVE-2012-4185", "CVE-2012-4186", "CVE-2012-4187", "CVE-2012-4188", "CVE-2012-4191", "CVE-2012-4192", "CVE-2012-4193");
script_bugtraq_id(55856, 55889);
script_xref(name:"USN", value:"1611-1");
script_name(english:"Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : thunderbird vulnerabilities (USN-1611-1)");
script_summary(english:"Checks dpkg output for updated package.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Ubuntu host is missing a security-related patch."
);
script_set_attribute(
attribute:"description",
value:
"Henrik Skupin, Jesse Ruderman, Christian Holler, Soroush Dalili and
others discovered several memory corruption flaws in Thunderbird. If a
user were tricked into opening a malicious website and had JavaScript
enabled, an attacker could exploit these to execute arbitrary
JavaScript code within the context of another website or arbitrary
code as the user invoking the program. (CVE-2012-3982, CVE-2012-3983,
CVE-2012-3988, CVE-2012-3989, CVE-2012-4191)
David Bloom and Jordi Chancel discovered that Thunderbird did not
always properly handle the <select> element. If a user were tricked
into opening a malicious website and had JavaScript enabled, a remote
attacker could exploit this to conduct URL spoofing and clickjacking
attacks. (CVE-2012-3984)
Collin Jackson discovered that Thunderbird did not properly follow the
HTML5 specification for document.domain behavior. If a user were
tricked into opening a malicious website and had JavaScript enabled, a
remote attacker could exploit this to conduct cross-site scripting
(XSS) attacks via JavaScript execution. (CVE-2012-3985)
Johnny Stenback discovered that Thunderbird did not properly perform
security checks on test methods for DOMWindowUtils. (CVE-2012-3986)
Alice White discovered that the security checks for GetProperty could
be bypassed when using JSAPI. If a user were tricked into opening a
specially crafted web page and had JavaScript enabled, a remote
attacker could exploit this to execute arbitrary code as the user
invoking the program. (CVE-2012-3991)
Mariusz Mlynski discovered a history state error in Thunderbird. If a
user were tricked into opening a malicious website and had JavaScript
enabled, a remote attacker could exploit this to spoof the location
property to inject script or intercept posted data. (CVE-2012-3992)
Mariusz Mlynski and others discovered several flaws in Thunderbird
that allowed a remote attacker to conduct cross-site scripting (XSS)
attacks. With cross-site scripting vulnerabilities, if a user were
tricked into viewing a specially crafted page and had JavaScript
enabled, a remote attacker could exploit these to modify the contents,
or steal confidential data, within the same domain. (CVE-2012-3993,
CVE-2012-3994, CVE-2012-4184)
Abhishek Arya, Atte Kettunen and others discovered several memory
flaws in Thunderbird when using the Address Sanitizer tool. If a user
were tricked into opening a malicious website and had JavaScript
enabled, an attacker could exploit these to execute arbitrary
JavaScript code within the context of another website or execute
arbitrary code as the user invoking the program. (CVE-2012-3990,
CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181,
CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186,
CVE-2012-4187, CVE-2012-4188)
It was discovered that Thunderbird allowed improper access to the
Location object. An attacker could exploit this to obtain sensitive
information. Under certain circumstances, a remote attacker could use
this vulnerability to potentially execute arbitrary code as the user
invoking the program. (CVE-2012-4192, CVE-2012-4193).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://usn.ubuntu.com/1611-1/"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected thunderbird package."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:thunderbird");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.04");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/10");
script_set_attribute(attribute:"patch_publication_date", value:"2012/10/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/10/15");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Ubuntu Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");
if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(10\.04|11\.04|11\.10|12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 11.04 / 11.10 / 12.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
flag = 0;
if (ubuntu_check(osver:"10.04", pkgname:"thunderbird", pkgver:"16.0.1+build1-0ubuntu0.10.04.1")) flag++;
if (ubuntu_check(osver:"11.04", pkgname:"thunderbird", pkgver:"16.0.1+build1-0ubuntu0.11.04.1")) flag++;
if (ubuntu_check(osver:"11.10", pkgname:"thunderbird", pkgver:"16.0.1+build1-0ubuntu0.11.10.1")) flag++;
if (ubuntu_check(osver:"12.04", pkgname:"thunderbird", pkgver:"16.0.1+build1-0ubuntu0.12.04.1")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "thunderbird");
}
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/ubuntu_USN-1611-1.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\ubuntu_USN-1611-1.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/ubuntu_USN-1611-1.nasl
Go back to menu.
How to Run
Here is how to run the Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : thunderbird vulnerabilities (USN-1611-1) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Ubuntu Local Security Checks plugin family.
- On the right side table select Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : thunderbird vulnerabilities (USN-1611-1) plugin ID 62548.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl ubuntu_USN-1611-1.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a ubuntu_USN-1611-1.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - ubuntu_USN-1611-1.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state ubuntu_USN-1611-1.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: USN | Ubuntu Security Notice: See also:
- https://www.tenable.com/plugins/nessus/62548
- https://usn.ubuntu.com/1611-1/
- https://vulners.com/nessus/UBUNTU_USN-1611-1.NASL
- 62484 - CentOS 5 / 6 : firefox (CESA-2012:1350)
- 62485 - CentOS 5 / 6 : thunderbird (CESA-2012:1351)
- 62667 - Debian DSA-2565-1 : iceweasel - several vulnerabilities
- 62748 - Debian DSA-2569-1 : icedove - several vulnerabilities
- 62805 - Debian DSA-2572-1 : iceape - several vulnerabilities
- 62490 - FreeBSD : mozilla -- multiple vulnerabilities (6e5a9afd-12d3-11e2-b47d-c8600054b392)
- 63402 - GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)
- 62575 - Firefox < 10.0.8 Multiple Vulnerabilities (Mac OS X)
- 62576 - Firefox < 16.0 Multiple Vulnerabilities (Mac OS X)
- 62577 - Mozilla Thunderbird 10.0.x < 10.0.8 Multiple Vulnerabilities (Mac OS X)
- 62578 - Mozilla Thunderbird < 16.0 Multiple Vulnerabilities (Mac OS X)
- 62579 - Firefox 10.0.x < 10.0.8 Multiple Vulnerabilities
- 62580 - Firefox < 16.0 Multiple Vulnerabilities
- 62581 - Mozilla Thunderbird 10.0.x < 10.0.8 Multiple Vulnerabilities
- 62582 - Mozilla Thunderbird < 16.0 Multiple Vulnerabilities
- 74779 - openSUSE Security Update : MozillaFirefox (openSUSE-SU-2012:1345-1)
- 68635 - Oracle Linux 5 / 6 : firefox (ELSA-2012-1350)
- 68636 - Oracle Linux 6 : thunderbird (ELSA-2012-1351)
- 62472 - RHEL 5 / 6 : firefox (RHSA-2012:1350)
- 62473 - RHEL 5 / 6 : thunderbird (RHSA-2012:1351)
- 62583 - SeaMonkey < 2.13 Multiple Vulnerabilities
- 62492 - Scientific Linux Security Update : firefox on SL5.x, SL6.x i386/x86_64 (20121009)
- 62493 - Scientific Linux Security Update : thunderbird on SL5.x, SL6.x i386/x86_64 (20121009)
- 64133 - SuSE 11.2 Security Update : Mozilla Firefox (SAT Patch Number 6951)
- 62573 - SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 8327)
- 83562 - SUSE SLED10 / SLED11 / SLES10 / SLES11 Security Update : Mozilla Firefox (SUSE-SU-2012:1351-1)
- 62476 - Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : firefox vulnerabilities (USN-1600-1)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file ubuntu_USN-1611-1.nasl version 1.11. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
