Disabling UPnP in Windows Pidgin 2.3.0
Kevin Stange
kevin at simguy.net
Thu Nov 29 19:59:50 EST 2007
David F. Severski wrote:
> On Thu, Nov 29, 2007 at 06:31:13PM -0600, Billy Crook wrote:
>> And for that matter, no destruction of your current computer's UPnP
>> capabilities will slow down a virus that uses UPnP to upen your NAT router
>> up. That virus, willcery its own UPnP client that you won't be allowed to
>> close. The place to disable it if you are going to at all, is in your NAT
>> routers.
>
> The concern is not whether UPnP announcements are going to open my
> network to hostile traffic, but whether or not Pidgin may be listening to
> potentially hostile traffic (e.g. buffer overflows, malicious input). I
> use Pidgin to communicate on a motley collection of chat protocols such
> as AIM, ICQ, Jabber, etc. UPnP is not on my required list of protocols,
> therefore I, like other users who have commented on this issue in the
> past, am trying to disable it so that I am only running the service and
> clients that are necessary for my required functionality.
>
> The resistance to providing even an advanced configuration option or
> plug-in functionality that allows users to follow security best practices
> is surprising. Is there a reason for UPnP to be in an always on state
> that I'm not understanding?
Pidgin only uses UPNP support for two things: determining the external
IP address of a NAT network and opening ports on a NAT network, for peer
to peer connections. If Pidgin is given bogus information at either
time, the worst that should happen is that either the remote client is
told to connect to the wrong IP address or the direct connection simply
fails due to lack of open ports.
Pidgin should not act on a UPNP message received randomly (or even upon
request) by opening a connection or crashing or doing anything else
unpleasant. If you have found a vulnerability in Pidgin that you
believe could cause Pidgin to do something nasty when sent some bogus
UPNP data, we will be more than happy to fix them, but turning off a
UPNP client should not really be necessary.
Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/pipermail/support/attachments/20071129/b13f5546/attachment.sig>
More information about the Support
mailing list