pidgin 2.11.0 DLL Hijacking Vulnerability

Himanshu Mehta mehta.himanshu21 at gmail.com
Fri Jul 15 14:45:34 EDT 2016


Hello Daniel,

I have downloaded file from https://www.pidgin.im/download/
Vulnerability is in pidgin installer that I confirm, and so request you to
test it again.

Thanks & Regards,
Himanshu Mehta

On Thu, Jul 14, 2016 at 8:58 PM, Daniel Atallah <daniel.atallah at gmail.com>
wrote:

> Himanshu Meta,
>
> This looks like it's probably a bug in the NSIS installer framework.
>
> I suggest that you report the bug to the NSIS folks as the bug will likely
> need to be fixed there before we can fix it in Pidgin (apart from switching
> to a different installer framework) - it also likely affects other usage of
> the common NSIS framework.
>
> Thanks,
> Daniel
>
> On Jul 14, 2016 8:05 AM, "Himanshu Mehta" <mehta.himanshu21 at gmail.com>
> wrote:
>
>> Hello,
>>
>> Please request for CVE.
>> Description
>>
>> Summary pidgin contains a DLL hijacking vulnerability that could allow an
>> unauthenticated, remote attacker to execute arbitrary code on the targeted
>> system. The vulnerability exists due to some DLL file is loaded by
>> ‘pidgin_2.11.0.exe' improperly. And it allows an attacker to load this DLL
>> file of the attacker’s choosing that could execute arbitrary code without
>> the user's knowledge.
>>
>> Affected Product: pidgin 2.11.0
>>
>> Impact Attacker can exploit this vulnerability to load a DLL file of the
>> attacker's choosing that could execute arbitrary code. This may help
>> attacker to Successful exploit the system if user creates shell as a DLL.
>>
>> Vulnerability Scoring Details The vulnerability classification has been
>> performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
>> Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
>>
>> More Details: For software downloaded with a web browser the application
>> directory is typically the user's "Downloads" directory: see
>> https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html
>> ,
>> http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html
>>  and http://seclists.org/fulldisclosure/2012/Aug/134 for "prior art"
>> about this well-known and well-documented vulnerability.
>>
>> If an attacker places malicious DLL in the user's "Downloads" directory
>> (for example per "drive-by download" or "social engineering") this
>> vulnerability becomes a remote code execution.
>>
>> Proof of concept/demonstration:
>>
>>
>>
>> 1. Create a malicious ntmarta.dll file and save it in your "Downloads" directory.
>>
>> 2. Download pidgin_2.11.0.exe from and save it in your "Downloads" directory.
>>
>> 3. Execute pidgin_2.11.0.exe from your "Downloads" directory.
>>
>> 4. Malicious dll file gets executed.
>>
>>
>> Thanks & Regards,
>> Himanshu Mehta
>>
>> _______________________________________________
>> security mailing list
>> security at pidgin.im
>> https://pidgin.im/cgi-bin/mailman/listinfo/security
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160716/75f87773/attachment.html>


More information about the security mailing list