pidgin 2.11.0 DLL Hijacking Vulnerability

Himanshu Mehta mehta.himanshu21 at gmail.com
Fri Jul 15 15:55:14 EDT 2016


Hi Daniel,

Thanks for sharing information. I will test and report to NSIS as well.

Can you please tell me what I need to do next for bug bounty?
https://firebounty.com/bug-bounty-program/241/pidgin

Thanks & Regards,
Himanshu Mehta

On Saturday 16 July 2016, Daniel Atallah <daniel.atallah at gmail.com> wrote:

> Hi Himanshu,
>
> I'm not disputing that the Pidgin installer exhibits the behavior that you
> mention (I haven't had a chance to validate it yet, but I bet you're right).
>
> My point is that the underlying cause is the behavior of the NSIS
> installer framework (http://nsis.sourceforge.net), so it's a good idea to
> report this issue to that project because it likely impacts other
> installers which were built using the same framework.
>
> -D
>
> On Jul 15, 2016 2:45 PM, "Himanshu Mehta" <mehta.himanshu21 at gmail.com
> <javascript:_e(%7B%7D,'cvml','mehta.himanshu21 at gmail.com');>> wrote:
>
>> Hello Daniel,
>>
>> I have downloaded file from https://www.pidgin.im/download/
>> Vulnerability is in pidgin installer that I confirm, and so request you
>> to test it again.
>>
>> Thanks & Regards,
>> Himanshu Mehta
>>
>> On Thu, Jul 14, 2016 at 8:58 PM, Daniel Atallah <daniel.atallah at gmail.com
>> <javascript:_e(%7B%7D,'cvml','daniel.atallah at gmail.com');>> wrote:
>>
>>> Himanshu Meta,
>>>
>>> This looks like it's probably a bug in the NSIS installer framework.
>>>
>>> I suggest that you report the bug to the NSIS folks as the bug will
>>> likely need to be fixed there before we can fix it in Pidgin (apart from
>>> switching to a different installer framework) - it also likely affects
>>> other usage of the common NSIS framework.
>>>
>>> Thanks,
>>> Daniel
>>>
>>> On Jul 14, 2016 8:05 AM, "Himanshu Mehta" <mehta.himanshu21 at gmail.com
>>> <javascript:_e(%7B%7D,'cvml','mehta.himanshu21 at gmail.com');>> wrote:
>>>
>>>> Hello,
>>>>
>>>> Please request for CVE.
>>>> Description
>>>>
>>>> Summary pidgin contains a DLL hijacking vulnerability that could allow
>>>> an unauthenticated, remote attacker to execute arbitrary code on the
>>>> targeted system. The vulnerability exists due to some DLL file is loaded by
>>>> ‘pidgin_2.11.0.exe' improperly. And it allows an attacker to load this DLL
>>>> file of the attacker’s choosing that could execute arbitrary code without
>>>> the user's knowledge.
>>>>
>>>> Affected Product: pidgin 2.11.0
>>>>
>>>> Impact Attacker can exploit this vulnerability to load a DLL file of
>>>> the attacker's choosing that could execute arbitrary code. This may help
>>>> attacker to Successful exploit the system if user creates shell as a DLL.
>>>>
>>>> Vulnerability Scoring Details The vulnerability classification has been
>>>> performed by using the CVSSv2 scoring system (
>>>> http://www.first.org/cvss/). Base Score: 7.2
>>>> (AV:L/AC:L/Au:N/C:C/I:C/A:C)
>>>>
>>>> More Details: For software downloaded with a web browser the
>>>> application directory is typically the user's "Downloads" directory: see
>>>> https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html
>>>> ,
>>>> http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html
>>>>  and http://seclists.org/fulldisclosure/2012/Aug/134 for "prior art"
>>>> about this well-known and well-documented vulnerability.
>>>>
>>>> If an attacker places malicious DLL in the user's "Downloads" directory
>>>> (for example per "drive-by download" or "social engineering") this
>>>> vulnerability becomes a remote code execution.
>>>>
>>>> Proof of concept/demonstration:
>>>>
>>>>
>>>>
>>>> 1. Create a malicious ntmarta.dll file and save it in your "Downloads" directory.
>>>>
>>>> 2. Download pidgin_2.11.0.exe from and save it in your "Downloads" directory.
>>>>
>>>> 3. Execute pidgin_2.11.0.exe from your "Downloads" directory.
>>>>
>>>> 4. Malicious dll file gets executed.
>>>>
>>>>
>>>> Thanks & Regards,
>>>> Himanshu Mehta
>>>>
>>>> _______________________________________________
>>>> security mailing list
>>>> security at pidgin.im <javascript:_e(%7B%7D,'cvml','security at pidgin.im');>
>>>> https://pidgin.im/cgi-bin/mailman/listinfo/security
>>>>
>>>
>>

-- 
Thanks & Regards,
Himanshu Mehta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160716/c48336ca/attachment.html>


More information about the security mailing list