pidgin 2.11.0 DLL Hijacking Vulnerability

Fri Jul 15 15:23:55 EDT 2016

Hi Himanshu,

I'm not disputing that the Pidgin installer exhibits the behavior that you
mention (I haven't had a chance to validate it yet, but I bet you're right).

My point is that the underlying cause is the behavior of the NSIS installer
framework (http://nsis.sourceforge.net), so it's a good idea to report this
issue to that project because it likely impacts other installers which were
built using the same framework.

-D

On Jul 15, 2016 2:45 PM, "Himanshu Mehta" <mehta.himanshu21 at gmail.com>
wrote:

> Hello Daniel,
>
> I have downloaded file from https://www.pidgin.im/download/
> Vulnerability is in pidgin installer that I confirm, and so request you to
> test it again.
>
> Thanks & Regards,
> Himanshu Mehta
>
> On Thu, Jul 14, 2016 at 8:58 PM, Daniel Atallah <daniel.atallah at gmail.com>
> wrote:
>
>> Himanshu Meta,
>>
>> This looks like it's probably a bug in the NSIS installer framework.
>>
>> I suggest that you report the bug to the NSIS folks as the bug will
>> likely need to be fixed there before we can fix it in Pidgin (apart from
>> switching to a different installer framework) - it also likely affects
>> other usage of the common NSIS framework.
>>
>> Thanks,
>> Daniel
>>
>> On Jul 14, 2016 8:05 AM, "Himanshu Mehta" <mehta.himanshu21 at gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> Please request for CVE.
>>> Description
>>>
>>> Summary pidgin contains a DLL hijacking vulnerability that could allow
>>> an unauthenticated, remote attacker to execute arbitrary code on the
>>> targeted system. The vulnerability exists due to some DLL file is loaded by
>>> ‘pidgin_2.11.0.exe' improperly. And it allows an attacker to load this DLL
>>> file of the attacker’s choosing that could execute arbitrary code without
>>> the user's knowledge.
>>>
>>> Affected Product: pidgin 2.11.0
>>>
>>> Impact Attacker can exploit this vulnerability to load a DLL file of the
>>> attacker's choosing that could execute arbitrary code. This may help
>>> attacker to Successful exploit the system if user creates shell as a DLL.
>>>
>>> Vulnerability Scoring Details The vulnerability classification has been
>>> performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
>>> Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
>>>
>>> More Details: For software downloaded with a web browser the application
>>> directory is typically the user's "Downloads" directory: see
>>> https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html
>>> ,
>>> http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html
>>>  and http://seclists.org/fulldisclosure/2012/Aug/134 for "prior art"
>>> about this well-known and well-documented vulnerability.
>>>
>>> If an attacker places malicious DLL in the user's "Downloads" directory
>>> (for example per "drive-by download" or "social engineering") this
>>> vulnerability becomes a remote code execution.
>>>
>>> Proof of concept/demonstration:
>>>
>>>
>>>
>>> 1. Create a malicious ntmarta.dll file and save it in your "Downloads" directory.
>>>
>>> 2. Download pidgin_2.11.0.exe from and save it in your "Downloads" directory.
>>>
>>> 3. Execute pidgin_2.11.0.exe from your "Downloads" directory.
>>>
>>> 4. Malicious dll file gets executed.
>>>
>>>
>>> Thanks & Regards,
>>> Himanshu Mehta
>>>
>>> _______________________________________________
>>> security mailing list
>>> security at pidgin.im
>>> https://pidgin.im/cgi-bin/mailman/listinfo/security
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160715/0be33bac/attachment.html>