Insomnia : ISVA-110822.1 - Pidgin IM Insecure URL Handling Remote Code Execution



___________________________________________________________________

Insomnia Security Vulnerability Advisory: ISVA-110822.1
___________________________________________________________________

Name: Pidgin IM Insecure URL Handling Remote Code Execution
Reported: 21 July 2011

Vendor Link:
http://www.pidgin.im

Affected Products:
Pidgin Instant Messaging Client <= 2.9.0

Original Advisory:
http://www.insomniasec.com/advisories/ISVA-110822.1.htm

Researcher:
James Burton, Insomnia Security
http://www.insomniasec.com
___________________________________________________________________


_______________

Description
_______________

Pidgin is an open source instant messaging client that allows users
to log in to accounts on multiple chat networks simultaneously.

An insecure URL handling vulnerability exists in Pidgin <= 2.9.0
that can be exploited to cause remote code execution.

This vulnerability requires user interaction in the form of clicking
a malicious crafted URL.

_______________

Details
_______________

Pidgin supports the use of URL handlers in IM sessions. The Windows build
passes URLs directly to the ShellExecute API where they are executed under
the context of the user running the application.

When passed through a file:// URL a malicious executable can be hosted
and executed off a remote WEBDAV/SMB share.

This vulnerability requires user interaction in the form of clicking a
crafted URL but Pidgins Insert -> Link function gives the option of adding
a description which masks the underlying link.

This makes the task of social engineering the target a trivial one.

This vulnerability has only been confirmed over Google-Talk though
exploitation over other chat networks may be possible.

_______________

Solution
_______________

Upgrade to Pidgin 2.10.0 from http://www.pidgin.im/
The Pidgin changelog can be found http://developer.pidgin.im/wiki/ChangeLog

_______________

Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

___________________________________________________________________

Insomnia Security Vulnerability Advisory: ISVA-110822.1
___________________________________________________________________



Relevant Pages

  • [Full-disclosure] Insomnia : ISVA-110822.1 - Pidgin IM Insecure URL Handling Remote Code
    ... Insomnia Security Vulnerability Advisory: ISVA-110822.1 ... Pidgin IM Insecure URL Handling Remote Code Execution ...
    (Full-Disclosure)
  • [Full-disclosure] [SECURITY] [DSA 2509-1] pidgin security update
    ... The vulnerability can be exploited by an incoming ... and in some circumstances can lead to remote code execution. ... We recommend that you upgrade your pidgin packages. ... Further information about Debian Security Advisories, ...
    (Full-Disclosure)
  • [SECURITY] [DSA 2509-1] pidgin security update
    ... The vulnerability can be exploited by an incoming ... and in some circumstances can lead to remote code execution. ... We recommend that you upgrade your pidgin packages. ... Further information about Debian Security Advisories, ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2010:085 ] pidgin
    ... Security vulnerabilities has been identified and fixed in pidgin: ... The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium ... Directory traversal vulnerability in slp.c in the MSN protocol ... Mandriva Linux 2009.0/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2010:085 ] pidgin
    ... Security vulnerabilities has been identified and fixed in pidgin: ... The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium ... Directory traversal vulnerability in slp.c in the MSN protocol ... Mandriva Linux 2009.0/X86_64: ...
    (Bugtraq)