CVE-2023-1945: Memory Corruption in Thunderbird and Firefox ESR Caused by Unexpected Data from Safe Browsing API

CVE-2023-1945 is a vulnerability that affects Mozilla Thunderbird and Firefox ESR, where unexpected data returned from the Google Safe Browsing API could lead to memory corruption and a potentially exploitable crash. This can impact users of Mozilla Thunderbird versions below 102.10 and Firefox ESR versions below 102.10.

Manifestation

The root cause of this vulnerability is in the way Thunderbird and Firefox ESR handle the data returned from the Safe Browsing API. The Google Safe Browsing API is implemented as a service to check URLs against Google's constantly updated lists of suspected phishing and malware pages.

Normal operation involves sending a hashed URL to the Safe Browsing API, which returns metadata or URLs that match the prefix of the queried URL's hash. In certain cases, the API might return unexpected, malformed or extremely large data that might not be handled correctly by Thunderbird and Firefox ESR, leading to memory corruption and a potentially exploitable crash.

Consider the below sample code for triggering the crash due to unexpected data from the API

import requests
from base64 import urlsafe_b64encode

hash_url = "https://sample-malicious-url.com";
encoded_url = urlsafe_b64encode(hash_url.encode("utf-8")).decode("utf-8")

unexpected_data = "A" * 100000
api_url = f"https://safebrowsing.googleapis.com/v4/threatMatches:find?key={API_KEY}";
payload = {
    "client": {
        "clientId": "sample",
        "clientVersion": "1."
    },
    "threatInfo": {
        "threatTypes": ["MALWARE"],
        "platformTypes": ["ANY_PLATFORM"],
        "threatEntryTypes": ["URL"],
        "threatEntries": [{"url": encoded_url + unexpected_data}]
    }
}

response = requests.post(api_url, json=payload)

An attacker might attempt to call the API with malformed or crafted payloads that can provoke a crash in Thunderbird and Firefox ESR.

Exploit Details

To successfully exploit this vulnerability, an attacker needs to craft a specific payload that would cause the memory corruption and subsequent crash. The attacker would likely study the details of how Thunderbird and Firefox process the data returned from the API and use this knowledge to design their payload.

It's essential to address this issue to maintain the security and stability of Thunderbird and Firefox ESR users.

Mitigation and Solution

Mozilla has addressed this vulnerability by improving how Thunderbird and Firefox handle unexpected or malformed data returned by the Safe Browsing API. The vulnerability is fixed in the following versions:

Firefox ESR version 102.10 and above

To mitigate this issue, users should update their Thunderbird and Firefox ESR installations to at least the mentioned versions.

Original References

- Mozilla Security Advisory
- CVE-2023-1945 National Vulnerability Database
- Google Safe Browsing API


In conclusion, CVE-2023-1945 is a vulnerability that affects Mozilla Thunderbird and Firefox ESR due to unexpected data returned from the Safe Browsing API. This could lead to memory corruption and potentially exploitable crashes. Users are encouraged to update their software to the latest versions to ensure their safety and security.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/08/2023 15:06:00 UTC