Pidgin / lib purple XMPP remote crash

jv.gutierrezb at gmail.com jv.gutierrezb at gmail.com
Mon Apr 9 14:19:59 EDT 2012 

Hi,

I have found a vulnerability in the latest stable version of pidgin / lib purple (2.10.3) related to stream host negotiation in XMPP SI File Transfer (XEP-0096).

Attached to this mail you'll find a PoC in python that triggers the crash (NULL pointer dereference in libpurple/protocols/jabber/si.c:124 function jabber_si_bytestreams_connect_cb). The PoC needs http://xmpppy.sourceforge.net/

The PoC uses four stream hosts to trigger the crash:

stream host #1 --> JID=attacker at lab/Home, host=172.16.162.128, port=55261. Results in timeout
stream host #2 --> JID=proxy.lab, host=0.0.0.0, port=49185. Results in Windows socket error #10049
stream host #3 --> JID=proxy.lab, host=192.168.42.7, port=7777. Works
stream host #4 --> JID=proxy.lab, host=0.0.0.0, port=49185. Results in Windows socket error #10049

After the stream host #3 is used to transfer successfully the file and jsx freed, jabber_si_bytestreams_connect_cb is invoked to inform of the timeout of stream host #1 and tries to use jsx, but jsx is pointing to NULL.

Mitre has assigned the CVE 2012-2214 to this bug. The bug isn't public and I'll only make it public after the bug is fixed.

If you need any other information please,don't hesitate in contact me.

Regards,
José Valentín Gutiérrez

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120409/73cb7686/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin.RPT
Type: application/octet-stream
Size: 3057 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120409/73cb7686/attachment-0002.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120409/73cb7686/attachment-0005.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug-report.log
Type: application/octet-stream
Size: 47101 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120409/73cb7686/attachment-0003.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120409/73cb7686/attachment-0006.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cve-2012-2144-poc.py
Type: text/x-python-script
Size: 2525 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120409/73cb7686/attachment-0001.bin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120409/73cb7686/attachment-0007.html>

More information about the security mailing list