Fwd: Instant disconnect vulnerability

Mark Doliner mark at kingant.net
Fri Aug 13 13:17:16 EDT 2010

Hi Cory.  Thanks for letting us know about this.  I've forwarded your
email to our security mailing list, which consists of a group of core
Pidgin developers.  We'll investigate this problem and get back to

Thanks again,

---------- Forwarded message ----------
From: Cory McIntire <cory at cpanel.net>
Date: Fri, Aug 13, 2010 at 9:52 AM
Subject: Instant disconnect vulnerability
To: markdoliner at pidgin.im


Wasn't sure where to send this, so I went off this email:


I'm not sure this is even really a vulnerability or just a DoS type
thing, but its working on multiple platforms.

I am using Adium 1.3.10 on a Mac OS X 10.6.4, but we've reproduced
this on Pidgin 2.7.2, libpurple 2.7.2 on an Arch Linux workstation.
AMD Athlon 64 X2 Dual Core Processor 6400+ 2.6.34-ARCH SMP.

The easiest way to reproduce is with this command on Mac:

debaser:~ cory$ echo -ne '\013' | pbcopy

Then simply paste that into an IM or Conference Jabber chat.. it seems
limited to Jabber due to the XML character nature. On a java client we
get this info when this character is sent:

Illegal XML character &#xb;

I was able to paste this character into my status and it took down
everyone in the company that was on the jabber server with a few
exceptions. This was found on accident as a tech support guy was
cleaning his keyboard and was also in the 'tech support' conference
with about 15 other techs, and once it was in the conference, they
were disconnecting, but since not all clients disco'd the conf channel
stayed open. As the people started to reconnect they auto-rejoined
this conference room and the last 10 lines where there, one of which
included the string with the problem, hence they got disco'd again,
rinse , repeat. As you can imagine it was like watching a xmas tree as
they all got into a loop =)

I hope this is a good place to send this info or you can direct me
where to send it. If there are any questions or more details needed
please do not hesitate to ask.

BTW, here was the original line that was pasted, but we tracked it
down to only that one character (and a few others) causing the issues:



Cory McIntire
cPanel, Inc. - Quality Assurance

More information about the security mailing list