MSN arbitrary file upload vulnerability
Paul Aurich
paul at darkrain42.org
Wed Dec 30 23:55:58 EST 2009
The MSN prpl contains a vulnerability in the custom emoticon code that
allows a third-party to retrieve an arbitrary file on the target's computer
while requiring no intervention from the . This was described in Fabian's
talk at 26C3 [1], but the short version is that it's directory traversal
issue due to insufficient validation (the attacker can inject ".." into the
filename to retrieve).
Mitigating factors: .purple/custom_smiley/ must exist.
Vulnerable versions: Pidgin/libpurple 2.5.0 and newer.
Elliott and Stu both have patches, though nothing has been committed yet.
We need a CVE# for this issue, I suppose.
There's also another possible crash in the MSN prpl when chatting with a
buddy using Trillian for the iPod Touch/iPhone, reported on the Adium issue
tracker [2], which I just updated per Elliott's request to see a debug log.
Happy New Years nonetheless,
~Paul
[1] http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html (the
slides contain good details)
[2] http://trac.adium.im/ticket/13620
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20091230/d0d3b901/attachment.pgp>
More information about the Packagers
mailing list