Security Bug in Pidgin-2.10.7

Radhesh Krishnan K radheshkrishnank at gmail.com
Sat Apr 13 10:33:44 EDT 2013 

Hi,

I would like to report a security bug in pidgin-2.10.7.  Pidgin is using
openSSL library for creating secure connections.

A program using openSSL can perform SSL handshake by invoking the
SSL_connect function. Some cetrificate validation errors are signaled
through , the return values of the SSL_connect, while for the others errors
SSL_connect returns OK but sets internal "verify result"
flags. Application must call ssl_get_verify_result function to check if any
such errors occurred.  *This check is missing in pidgin.* And thus a *
man-in-the-middle* attack is possible failing all the SSL protection. (Please
refer <https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf>)

Another way to verify SSL certificate is using the api *SSL_CTX_set_verify*.
The SSL_CTX_set_verify() API allows you to set the verification flags in
the SSL_CTX structure and a callback function for customized verification
as its third argument. (Setting NULL to the callback function means the
built-in default verification function is used.) In the second argument of
SSL_CTX_set_verify(), you can set the following macro
(Refered from <http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#> )

1. SSL_VERIFY_NONE

*Server mode:* the server will not send a client certificate request to the
client, so the client will not send a certificate.

*Client mode:* if not using an anonymous cipher (by default disabled), the
server will send a certificate which will be checked. The result of the
certificate verification process can be checked after the TLS/SSL handshake
using the* SSL_get_verify_result* function. The handshake will be continued
regardless of the verification result.
2. SSL_VERIFY_PEER
3. SSL_VERIFY_FAIL_IF_NO_PEER_CERT
4. SSL_VERIFY_CLIENT_ONCE


However, In pidgin *SSL_CTX_set_verify()* is used but the second parameter
is *SSL_VERIFY_NONE *and third parameter is* NULL, *Which means we should
 use *SSL_get_verify_result API *to verify the peer certificate. But
*SSL_get_verify_result
API *is not used anywhere in pidgin code base which make the product
vulnerable to *man-in-the-middle attack.*


-- 
Regards,
Radhesh Krishnan K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130413/859731e2/attachment.html>

More information about the security mailing list