Binary package hint: pidgin
There is a bug in libpurple allowing remote users to access files in the local machine for users of MSN with certain features enabled.
I have an exploit written in 20 lines of python which works with the pidgin version in Karmic. I have tried to check Pidgin list of vulnerabilities and it's not there. I just came through this bug because it was mentioned in a talk in the CCC.
I'll be happily describe the problem and provide the script that exploits this vulnerability to the security team.
Cheers!
ProblemType: Bug
Architecture: i386
Date: Mon Dec 28 19:33:28 2009
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
NonfreeKernelModules: wl nvidia
Package: libpurple0 1:2.6.2-1ubuntu7
ProcEnviron:
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/zsh
ProcVersionSignature: Ubuntu 2.6.31-16.53-generic-pae
SourcePackage: pidgin
Uname: Linux 2.6.31-16-generic-pae i686
Uhm, so apparently this bug is private, so I'll continue ... the problem is related to the support for custom smileys.
Usually you tell your peer, I am using a custom smiley, its name is 'foo.png' and you can request it if you want. The other part then will request it if it wants it.
The problem is that the other part can request any other file instead of 'foo.png', and libpurple won't check the SHA1 hash and will even allow the file path to include '../..'.
It only works if the customs smileys are activated (i.e., if you have ever declared a custom smiley, so I'd say most people are not affected). And in this case any MSN client can just start sending request for files to Pidgin and it will serve them without even notifying the user in any way.
I am attaching a sample script using python-papyon that exploits this bug (not an elegant script, but works).