Security problem allows to remotely read user files (MSN protocol)

Bug #501089 reported by Isaac Clerencia on 2009-12-28
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pidgin (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: pidgin

There is a bug in libpurple allowing remote users to access files in the local machine for users of MSN with certain features enabled.

I have an exploit written in 20 lines of python which works with the pidgin version in Karmic. I have tried to check Pidgin list of vulnerabilities and it's not there. I just came through this bug because it was mentioned in a talk in the CCC.

I'll be happily describe the problem and provide the script that exploits this vulnerability to the security team.

Cheers!

ProblemType: Bug
Architecture: i386
Date: Mon Dec 28 19:33:28 2009
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release i386 (20091028.5)
NonfreeKernelModules: wl nvidia
Package: libpurple0 1:2.6.2-1ubuntu7
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/zsh
ProcVersionSignature: Ubuntu 2.6.31-16.53-generic-pae
SourcePackage: pidgin
Uname: Linux 2.6.31-16-generic-pae i686

Isaac Clerencia (isaaccp) wrote :
Isaac Clerencia (isaaccp) wrote :

Uhm, so apparently this bug is private, so I'll continue ... the problem is related to the support for custom smileys.

Usually you tell your peer, I am using a custom smiley, its name is 'foo.png' and you can request it if you want. The other part then will request it if it wants it.

The problem is that the other part can request any other file instead of 'foo.png', and libpurple won't check the SHA1 hash and will even allow the file path to include '../..'.

It only works if the customs smileys are activated (i.e., if you have ever declared a custom smiley, so I'd say most people are not affected). And in this case any MSN client can just start sending request for files to Pidgin and it will serve them without even notifying the user in any way.

I am attaching a sample script using python-papyon that exploits this bug (not an elegant script, but works).

Isaac Clerencia (isaaccp) wrote :

This exploit doesn't work perfectly, as in it won't save the retrieved file or output it properly, but you can check with wireshark or tcpdump that the file gets actually transferred. It's just a minor detail to write it down or whatever.

Isaac Clerencia (isaaccp) wrote :

Yes, that's it :)

Marc Deslauriers (mdeslaur) wrote :

Thanks for the exploit. I'll leave this bug private, and we'll fix pidgin once the CVE number request has gone through.

Changed in pidgin (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

This got CVE-2010-0013.

visibility: private → public
bernhard (bernhardredl) wrote :

this has been patched & released upstream (pidgin 2.6.5)
http://developer.pidgin.im/wiki/ChangeLog

is this going to be a ubuntu security update?

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.6.2-1ubuntu7.1

---------------
pidgin (1:2.6.2-1ubuntu7.1) karmic-security; urgency=low

  * SECURITY UPDATE: denial of service via crafted contact list data
    - debian/patches/63_security_CVE-2009-3615.patch: validate contact
      list structure in libpurple/protocols/oscar/oscar.c.
    - CVE-2009-3615
  * SECURITY UPDATE: directory traversal via custom smiley request
    (LP: #501089)
    - debian/patches/64_security_CVE-2010-0013.patch: ignore request for
      smileys that don't exist in the image store in
      libpurple/protocols/msn/slp.c.
    - CVE-2010-0013
 -- Marc Deslauriers <email address hidden> Thu, 14 Jan 2010 11:22:13 -0500

Changed in pidgin (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers