MSN arbitrary file upload vulnerability
Paul Aurich
paul at darkrain42.org
Sat Jan 2 16:57:06 EST 2010
And Paul Aurich spoke on 12/30/2009 08:55 PM, saying:
> The MSN prpl contains a vulnerability in the custom emoticon code that
> allows a third-party to retrieve an arbitrary file on the target's computer
> while requiring no intervention from the . This was described in Fabian's
> talk at 26C3 [1], but the short version is that it's directory traversal
> issue due to insufficient validation (the attacker can inject ".." into the
> filename to retrieve).
>
> Mitigating factors: .purple/custom_smiley/ must exist.
> Vulnerable versions: Pidgin/libpurple 2.5.0 and newer.
>
> Elliott and Stu both have patches, though nothing has been committed yet.
>
> We need a CVE# for this issue, I suppose.
>
> There's also another possible crash in the MSN prpl when chatting with a
> buddy using Trillian for the iPod Touch/iPhone, reported on the Adium issue
> tracker [2], which I just updated per Elliott's request to see a debug log.
>
> Happy New Years nonetheless,
> ~Paul
>
> [1] http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html (the
> slides contain good details)
> [2] http://trac.adium.im/ticket/13620
>
A patch for the file upload vulnerability can be found in 4be2df4f,
3d02401c, and c64a1adc [1, 2, & 3]. The fix itself is in [3], but depends
on the first two to apply properly (and clean up memory correctly).
As a note, when backporting the patch to anything older than 2.6.0, the use
of purple_strequal will need to be changed.
I just requested a CVE.
~Paul
[1]
http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f
[2]
http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467
[3]
http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100102/084d04e5/attachment.pgp>
More information about the Packagers
mailing list