[Security Patch] Mitigate EFail Vulnerability for Webkit2

From: Albrecht Dreß <albrecht dress arcor de>
To: Balsa Mailing List <balsa-list gnome org>
Subject: [Security Patch] Mitigate EFail Vulnerability for Webkit2
Date: Thu, 31 May 2018 16:16:23 +0200

Hi all,

Balsa's Webkit2 (USE_WEBKIT2 is defined) implementation is vulnerable to the EFail [1] attack, as it loads 
external content *without* user interaction for the cases H4, H5, H14, H15 and H17.  The attached patch
* completely disables Java and JavaScript, as it should always be considered harmful in emails;
* completely disables loading external content without user confirmation.

I tested several legitimate HTML messages with embedded and external images; the patch doesn't change their 
behaviour.  I.e. embedded images are displayed, and external content is loaded only after user confirmation.

Please note that the patch addresses Webkit2 *only*.  I didn't test the other html options, Balsa /may/ still 
be vulnerable if they are used.  Additionally, there /may/ be other backchannels which could be used for an 
attack with Webkit2.  The only really safe option is to disable HTML rendering completely.

I also attach a test message (in mailbox format) which contains several HTML parts, each trying to exploit a 
different method for bypassing remote content blocking.  All requests are directed to my personal web page, 
and I don't collect logs.  To test it, just terminate all web applications, run tcpdump (or wireshark) for 
port 80, and open the message in Balsa or any other mail client…

Best,
Albrecht.


[1] <https://efail.de/efail-attack-paper.pdf>

diff --git a/libbalsa/html.c b/libbalsa/html.c
index 0c2cbaec..19a30c0e 100644
--- a/libbalsa/html.c
+++ b/libbalsa/html.c
@@ -280,17 +280,11 @@ lbh_navigation_policy_decision(WebKitPolicyDecision * decision,
     uri = webkit_uri_request_get_uri(request);
 
     switch (navigation_type) {
-    case WEBKIT_NAVIGATION_TYPE_OTHER:
-    case WEBKIT_NAVIGATION_TYPE_RELOAD:
-        d(g_print("%s uri %s, type %d, used\n", __func__, uri,
-                  navigation_type));
-        webkit_policy_decision_use(decision);
-        break;
     case WEBKIT_NAVIGATION_TYPE_LINK_CLICKED:
         d(g_print("%s clicked %s\n", __func__, uri));
         (*info->clicked_cb) (uri);
     default:
-        d(g_print("%s type %d, ignored\n", __func__, navigation_type));
+        d(g_print("%s uri %s, type %d, ignored\n", __func__, uri, navigation_type));
         webkit_policy_decision_ignore(decision);
     }
 }
@@ -628,6 +622,9 @@ libbalsa_html_new(LibBalsaMessageBody * body,
 
     settings = webkit_web_view_get_settings(web_view);
     webkit_settings_set_enable_plugins(settings, FALSE);
+    webkit_settings_set_enable_javascript(settings, FALSE);
+       webkit_settings_set_enable_java(settings, FALSE);
+       webkit_settings_set_enable_hyperlink_auditing(settings, TRUE);
     webkit_settings_set_auto_load_images
         (settings,
          g_regex_match_simple(cid_regex, text, G_REGEX_CASELESS, 0));

Attachment: EFail-Test.mbx.zip
Description: Zip archive

Attachment: pgpyBCmo5nuAd.pgp
Description: PGP signature

Follow-Ups:
- Re: [Security Patch] Mitigate EFail Vulnerability for Webkit2
  - From: Peter Bloomfield

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]