Pidgin / lib purple XMPP remote crash

José Valentín Gutierrez Boquete jv.gutierrezb at gmail.com
Mon Apr 16 02:40:56 EDT 2012


Indeed, it's the same issue of ticket 15067. In my tests, I reproduced the
bug in versions 2.10.0, 2.10.1 and 2.10.3.

Although, in ticket 15065 seems that several stream hosts are available and
working at the same time.

El 16 de abril de 2012 03:36, Elliott Sales de Andrade
<qulogic at pidgin.im>escribió:

> Hi José,
>
> Thanks for reporting this issue.
> It seems like none of our XMPP people have received this message, though.
>
> Hopefully my reply will poke them into reading this.
>
> I believe this issue has just been reported here:
> http://developer.pidgin.im/ticket/15067
> This just-reported ticket may also be related, although the backtrace is
> not quite the same:
> http://developer.pidgin.im/ticket/15065
>
>
> On Mon, Apr 9, 2012 at 2:19 PM, jv.gutierrezb at gmail.com <
> jv.gutierrezb at gmail.com> wrote:
>
>> Hi,
>>
>> I have found a vulnerability in the latest stable version of pidgin / lib
>> purple (2.10.3) related to stream host negotiation in XMPP SI File
>> Transfer (XEP-0096).
>>
>> Attached to this mail you'll find a PoC in python that triggers the crash
>> (NULL pointer dereference in libpurple/protocols/jabber/si.c:124
>> function jabber_si_bytestreams_connect_cb). The PoC needs
>> http://xmpppy.sourceforge.net/
>>
>> The PoC uses four stream hosts to trigger the crash:
>>
>> stream host #1 --> JID=attacker at lab/Home, host=172.16.162.128,
>> port=55261. Results in timeout
>> stream host #2 --> JID=proxy.lab, host=0.0.0.0, port=49185. Results in
>> Windows socket error #10049
>> stream host #3 --> JID=proxy.lab, host=192.168.42.7, port=7777. Works
>> stream host #4 --> JID=proxy.lab, host=0.0.0.0, port=49185. Results in
>> Windows socket error #10049
>>
>> After the stream host #3 is used to transfer successfully the file and
>> jsx freed, jabber_si_bytestreams_connect_cb is invoked to inform of the
>> timeout of stream host #1 and tries to use jsx, but jsx is pointing to NULL.
>>
>> Mitre has assigned the CVE 2012-2214 to this bug. The bug isn't public
>> and I'll only make it public after the bug is fixed.
>>
>> If you need any other information please,don't hesitate in contact me.
>>
>> Regards,
>> José Valentín Gutiérrez
>>
>>
>> --
> Elliott aka QuLogic
> Pidgin developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120416/8b60455b/attachment-0001.html>


More information about the security mailing list