Re: Pidgin IM Client Password Disclosure Vulnerability.

[Aditya K Sood <0kn0ck () secniche org>]

Quark IT - Hilton Travis wrote:
> The latest version of Pidgin - 2.5.1 - was released on 2008-08-31.  This
> must be an ancient version you've got here!
>
> --
>
> http://blog.hiltontravis.com/
>
> Regards,
>
> Hilton Travis                       Phone: +61 (0)7 3105 9101
> (Brisbane, Australia)               Phone: +61 (0)419 792 394
> Manager, Quark IT                   http://www.quarkit.com.au
>          Quark Group                http://www.quarkgroup.com.au
>
>      Microsoft SBSC PAL (Australia) http://www.sbscpal.com/
>
> War doesn't determine who is right.  War determines who is left.
>
> This document and any attachments are for the intended recipient 
>   only.  It may contain confidential, privileged or copyright 
>      material which must not be disclosed or distributed.
>
>                     Quark Group Pty. Ltd.
>       T/A Quark Automation, Quark AudioVisual, Quark IT
>
>   
> > -----Original Message-----
> > From: Aditya K Sood [mailto:0kn0ck () secniche org]
> > Sent: Wednesday, 17 September 2008 10:41 PM
> > To: bugtraq () securityfocus com
> > Subject: Pidgin IM Client Password Disclosure Vulnerability.
> >
> > Pidgin IM Client Password Disclosure Vulnerability.
> >
> > *Version Affected:*
> > 0.7.10 Unicode / Previous version can be affected.
> >
> > *Release Date:*
> > 11 September 2008
> >
> > *About:*
> > Pidgin is a graphical modular messaging client based on libpurple
> >     
> which
>   
> > is capable
> > of connecting to AIM, MSN, Yahoo!, XMPP, ICQ, IRC, SILC, SIP/SIMPLE,
> > Novell GroupWise,
> > Lotus Sametime, Bonjour, Zephyr, MySpaceIM, Gadu-Gadu, and QQ all at
> > once. It is written using GTK+.
> >
> > *Description:*
> > The pidgin client inherits client side password disclosure
> > vulnerability. The credentials used to
> > connect to the required service i.e. username and password is not
> > encrypted properly. The credentials
> > can be extracted in clear text by dumping process memory of the live
> > pidgin process when a connection
> > is set. The vulnerability allows anyone with access to the client
> > system
> > to obtain the username and password.
> > Additionally, this vulnerability could also be exploited by fooling
> >     
> the
>   
> > user to execute malicious code which
> > would dump the memory of the process "pidgin.exe"..
> >
> > *Proof of Concept:*
> > http://evilfingers.com/advisory/pidgin_password_disc_vuln.pdf
> > http://secniche/advisory/pidgin_vul.pdf
> > * <cid:part1.02090307.09020405@secniche.org>*
> > *Links: *
> > http://secniche.org/advisory.html
> > http://evilfingers.com/advisory/index.php
> > *
> > Credit:*
> > Aditya K Sood
> >
> > *Disclaimer*
> > The information in the advisory is believed to be accurate at the time
> > of publishing based on currently
> > available information. Use of the information constitutes acceptance
> > for
> > use in an AS IS condition. There is
> > no representation or warranties, either express or implied by or with
> > respect to anything in this document,
> > and shall not be liable for a ny implied warranties of merchantability
> > or fitness for a particular purpose or for
> > any indirect special or consequential damages.
> >     
>
>   
Hi

I have tested the 2.5.1 version. The template was wrongly constructed in 
version number.

Any ways I have changed the things.

Thanks for mentioning the construct.

I appreciate that.

Regards