pidgin 2.11.0 DLL Hijacking Vulnerability
daniel.atallah at gmail.com
Fri Jul 15 15:23:55 EDT 2016
I'm not disputing that the Pidgin installer exhibits the behavior that you
mention (I haven't had a chance to validate it yet, but I bet you're right).
My point is that the underlying cause is the behavior of the NSIS installer
framework (http://nsis.sourceforge.net), so it's a good idea to report this
issue to that project because it likely impacts other installers which were
built using the same framework.
On Jul 15, 2016 2:45 PM, "Himanshu Mehta" <mehta.himanshu21 at gmail.com>
> Hello Daniel,
> I have downloaded file from https://www.pidgin.im/download/
> Vulnerability is in pidgin installer that I confirm, and so request you to
> test it again.
> Thanks & Regards,
> Himanshu Mehta
> On Thu, Jul 14, 2016 at 8:58 PM, Daniel Atallah <daniel.atallah at gmail.com>
>> Himanshu Meta,
>> This looks like it's probably a bug in the NSIS installer framework.
>> I suggest that you report the bug to the NSIS folks as the bug will
>> likely need to be fixed there before we can fix it in Pidgin (apart from
>> switching to a different installer framework) - it also likely affects
>> other usage of the common NSIS framework.
>> On Jul 14, 2016 8:05 AM, "Himanshu Mehta" <mehta.himanshu21 at gmail.com>
>>> Please request for CVE.
>>> Summary pidgin contains a DLL hijacking vulnerability that could allow
>>> an unauthenticated, remote attacker to execute arbitrary code on the
>>> targeted system. The vulnerability exists due to some DLL file is loaded by
>>> ‘pidgin_2.11.0.exe' improperly. And it allows an attacker to load this DLL
>>> file of the attacker’s choosing that could execute arbitrary code without
>>> the user's knowledge.
>>> Affected Product: pidgin 2.11.0
>>> Impact Attacker can exploit this vulnerability to load a DLL file of the
>>> attacker's choosing that could execute arbitrary code. This may help
>>> attacker to Successful exploit the system if user creates shell as a DLL.
>>> Vulnerability Scoring Details The vulnerability classification has been
>>> performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
>>> Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
>>> More Details: For software downloaded with a web browser the application
>>> directory is typically the user's "Downloads" directory: see
>>> and http://seclists.org/fulldisclosure/2012/Aug/134 for "prior art"
>>> about this well-known and well-documented vulnerability.
>>> If an attacker places malicious DLL in the user's "Downloads" directory
>>> (for example per "drive-by download" or "social engineering") this
>>> vulnerability becomes a remote code execution.
>>> Proof of concept/demonstration:
>>> 1. Create a malicious ntmarta.dll file and save it in your "Downloads" directory.
>>> 2. Download pidgin_2.11.0.exe from and save it in your "Downloads" directory.
>>> 3. Execute pidgin_2.11.0.exe from your "Downloads" directory.
>>> 4. Malicious dll file gets executed.
>>> Thanks & Regards,
>>> Himanshu Mehta
>>> security mailing list
>>> security at pidgin.im
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security