Jabber: Client and OS version visible to authorized buddies

Bug #128159 reported by Till Ulen on 2007-07-25
6
Affects Status Importance Assigned to Milestone
Gaim
Fix Released
Unknown
gaim (Ubuntu)
Low
Unassigned

Bug Description

Binary package hint: gaim

If you use XMPP (Jabber), Pidgin (formerly Gaim) discloses its exact version number, your operating system details and hardware architecture to the buddies whom you have authorized. I tested Pidgin 2.0.2 on Windows XP and Gaim 1:2.0.0+beta6-1ubuntu4 from Ubuntu 7.04 Feisty Fawn.

Under GNU/Linux, the precise kernel version number is reported. Under Windows, the OS version number seems to reflect only major releases, like Windows 2000 or Windows XP.

Security and privacy implications

Disclosing so much information about your system is a security exposure. It can facilitate, for example, a) spreading Pidgin worms, b) conducting a targeted attack without being noticed, or c) OS version scanning behind firewalls.

You might also oppose to sharing information about your operating system and IM client with your buddies.

Sample attack schemes

Included here to scare you if you don't take security seriously or if you think that limiting it to authorized buddies is secure enough.

a) Spreading worms that exploit Pidgin (Gaim) vulnerabilities

If the worm writer can remotely exploit one or more vulnerabilities in Pidgin, the ability to reliably detect the version and platform of the peers comes in handy. Instead of crashing some clients or being noticed by their users, the worm will be able to infect all vulnerable clients without making noise. Because the worm infects users' clients, it will be already authorized by most of its next victims.

b) Targeted attack without leaving lots of traces

If Eve is not yet authorized by you, she first tricks you into authorizing her by being or pretending somebody you are interested to communicate with. Using this Pidgin exposure, she learns what hardware you have and what OS you are running. From that information she may be able to deduce your GNU/Linux distribution and the versions of other programs that often come with your kernel. To perform her real attack, she uses an exploit that is known to work against the exact version of Pidgin, the kernel, or other software that you are running. As in the worm example, Eve could succeed from the first shot, thus leaving much less traces for your intrusion detection system to notice. If she didn't know the version numbers, she'd have to try her exploits one by one, making more noise and increasing your chance to detect her intrusion attempts.

c) OS version scanning behind firewalls

First, Trudy collects a list of interesting users from multiple sources on the web, from a directory of an organization's employees, and so on. Her XMPP bot goes over the list of users tricking them into authorizing it and, if they are running Pidgin, recording their OS details. To find out the IP of each user, the bot or Trudy herself can have the user send a file or an email to them. If there is no smart proxy in the way, the sender's IP will be known from the direct file transfer to Trudy's host or from the Received mail headers. Now Trudy can use the version information obtained to find hosts with known vulnerabilities and mount further attacks... Windows versions of Pidgin are immune to this kind of attack as they don't report exact version numbers of the OS components.

To reproduce the problem:

1. Open Pidgin and log in to your Jabber account. (If you don't have one, you can register at jabber.org or gmail.com, among others.) This client will be the "victim" of information disclosure.

2. Open any XMPP-capable client (or maybe just another copy of Pidgin in a different session) and log in to another Jabber account. This client will be the "attacker".

3. Add your victim account to the buddy list of the attacker.

4. Authorize the attacker from the victim client.

5. In your attacker client, examine the victim's user information. In Pidgin (Gaim) you can right-click an entry in the buddy list and select Get Info.

6. The version number of the victim's Pidgin and operating system appear. In Pidgin, they are listed under Client and Operating System like this:

  Client: gaim 2.0.0beta6
  Operating System: Linux 2.6.20-16-generic i686

Fix

The most safe default that still provides intended functionality would be reporting "Pidgin" as the client name and "Windows", "FreeBSD", "Linux", "Mac OS" as the operating system. I wonder though why should an instant messaging client silently report my operating system to anyone with whom I like to chat.

At the very least, the exact version number of Pidgin and the OS kernel (under non-Windows systems) shouldn't be reported. They can be cut off to their major versions, like Pidgin 2, Windows XP, Linux 2.6.

If there is a configuration option to set what versions Pidgin reports (without rebuilding it from source), please let me know.

Other protocols

I have not looked into other instant messaging protocols that Pidgin supports. There may be similar exposures in them.

 -- Alexander Konovalenko

CVE References

Till Ulen (tillulen) wrote :

This issue has been assigned CVE number CVE-2007-4002.

Changed in gaim:
status: Unknown → Invalid
Sebastien Bacher (seb128) wrote :

doesn't seem to be a security issue

Changed in gaim:
importance: Undecided → Low

On 24/08/07, Sebastien Bacher <email address hidden> wrote:
> doesn't seem to be a security issue

Sebastien,

To summarize my analysis above, revealing the versions of software and
the hardware architecture can aid attackers to conceal their attacks
and to perform them with a greater rate of success.

Could you please explain why that is not a security issue?

Sebastien Bacher (seb128) wrote :

that's nothin really exploitable and there is other way to determine what OS is running

Till Ulen (tillulen) wrote :

On 24/08/07, Sebastien Bacher wrote:
> that's nothin really exploitable and there is other way to determine
> what OS is running

What is that other way to determine the exact kernel version of an
Ubuntu machine remotely? Assume that the attacker can communicate with
the victim's Pidgin client by sending and receiving Jabber messages.

Sebastien Bacher (seb128) wrote :

I'll let the security team comment

Changed in gaim:
status: Invalid → New
Kees Cook (kees) wrote :

Each Linux distribution has a very limited set of possible kernel versions. It is nearly trivial to guess at someone's kernel version. Also, "4. Authorize the attacker from the victim client." requires the victim do some work to help the attacker. :)

I would, however, consider it a "bug" to not be able to disable this information in pidgin (e.g. gajim allows you to set privacy flags), but I don't find this to be a significant "information disclosure".

Till Ulen (tillulen) wrote :

On 27/08/07, Kees Cook wrote:
> Each Linux distribution has a very limited set of possible kernel
> versions. It is nearly trivial to guess at someone's kernel version.

Well, there is a limited number of possible hardware architectures,
operating systems, and software versions. If the attacker can afford
guessing, this "feature" of Pidgin is indeed useless for him.

However, there are two possible uses for knowing the victim's
configuration *exactly* in advance: hiding the attacker's activity and
increasing the success rate of one-shot exploits (for worms). Details
can be found in the "Sample attack schemes" section of my original
report.

> Also, "4. Authorize the attacker from the victim client." requires the
> victim do some work to help the attacker. :)

That's good but it doesn't add too much protection, as I argue in the
original report.

> I don't find this to be a significant "information disclosure".

Frankly, I don't consider this a significant information disclosure
either. It's an insignificant one. :-) Most importantly, I'd like to
make sure that this issue is not ignored and will be eventually fixed.

Changed in gaim:
status: New → Fix Released
Sebastien Bacher (seb128) wrote :

The bug has been fixed upstream now

Changed in gaim:
status: New → Fix Committed
Pedro Villavicencio (pedro) wrote :

fixed on hardy with pidgin.

Changed in gaim:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.