[Advisories] Libpurple security vulnerability CORE-2009-0727

Luke Schierer lschiere at pidgin.im
Sat Aug 1 08:32:42 EDT 2009


I didn't notice the attachment, plus I can only decrypt @ home or on  
my laptop, not from webmail.

luke

Begin forwarded message:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Libpurple-2.5.8_PoC
Type: application/octet-stream
Size: 12036 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090801/f169c157/attachment-0001.obj>
-------------- next part --------------

> From: "Luke Schierer" <lschiere at pidgin.im>
> Date: July 31, 2009 15:22:23 EDT
> To: packagers at pidgin.im
> Subject: [Fwd: Re: [Advisories] Libpurple security vulnerability   
> CORE-2009-0727]
> Reply-To: lschiere at pidgin.im
>
> ---------------------------- Original Message  
> ----------------------------
> Subject: Re: [Advisories] Libpurple security vulnerability  
> CORE-2009-0727
> From:    "Core Security Advisories Team (jo)"
> <advisories-publication at coresecurity.com>
> Date:    Fri, July 31, 2009 14:39
> To:      "Luke Schierer" <lschiere at pidgin.im>
> Cc:      "Federico Muttis" <acid at corest.com>
>         "CORE Security Technologies Advisories-publication"
> <advisories-publication at coresecurity.com>
> --------------------------------------------------------------------------
>
> Luke,
>
> Here is the PoC that triggers the bug. To run exploit.py you must  
> first
> edit msnclient.py:
>
>       # Setup some MSN accounts
>       self.account = "Attacker MSN account"
>       self.password = "Attacker password"
>       self.victim = "Victim MSN Account"
>       self.display_name = "My Display Name"
>
>       # Set your proxy if you need it, with this format:
>       #self.proxy = "192.168.254.254:80"
>       # Else, leave it blank.
>       self.proxy = ""
>
> Don't hesitate to write if you have any doubt or comment.
>
> Regards,
> Jose.
>
> Luke Schierer escribi?:
>> We have looked into the code and we're not sure how this can be  
>> triggered.
>> You have outlined a two-step process. For the second step, you say
>> buffer is NULL, thus allowing a memcpy to an arbitrary location.
>> However, we don't see how this could happen. The buffer should either
>> have been allocated in the first step, or if that fails, the original
>> message would be destroyed. And without that, the second part could
>> not occur. So, how are you getting buffer to be NULL?
>>
>> Thanks!
>>
>> Luke
>>
>> On Jul 30, 2009, at 13:17 EDT, Core Security Advisories Team (jo)  
>> wrote:
>>
>>
>>> Hi,
>>
>>> I am attaching a preliminary version of the advisory, written by
>>> Federico Muttis, encrypted with Luke's key. Don't hesitate to  
>>> write back
>>> if you have any doubts or comments.  We are planning to release the
>>> advisory on August 18th, 2009.
>>
>>> Regards,
>>> Jose.
>>
>>> --Jos? I. Orlicki
>>> Advisories Team
>>> Core Security Technologies
>>>
>> http://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=list&type=advisory
>>
>>> <pidgin-1.txt.pgp>
>>
>
> -- 
> Jos? I. Orlicki
> Advisories Team
> Core Security Technologies
> http://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=list&type=advisory
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Libpurple-2.5.8_PoC
Type: text/filename=libpurple-2.5.8_poc
Size: 12036 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090801/f169c157/attachment-0001.bin>
-------------- next part --------------
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090801/f169c157/attachment-0001.pgp>


More information about the Packagers mailing list