[Pidgin] #2264: Jabber: Client and OS version visible to authorized buddies

Pidgin trac at pidgin.im
Wed Jul 25 00:40:03 EDT 2007


#2264: Jabber: Client and OS version visible to authorized buddies
-------------------------------+--------------------------------------------
 Reporter:  alexkon            |       Type:  defect
   Status:  new                |   Priority:  minor 
Component:  pidgin (gtk)       |    Version:  2.0.2 
 Keywords:  security, privacy  |    Pending:  0     
-------------------------------+--------------------------------------------
 = Summary =

 If you use XMPP (Jabber), Pidgin (formerly Gaim) discloses its exact
 version number, your operating system details and hardware architecture to
 the buddies whom you have authorized. I tested Pidgin 2.0.2 on Windows XP
 and Gaim 1:2.0.0+beta6-1ubuntu4 from Ubuntu 7.04 Feisty Fawn.

 Under GNU/Linux, the precise kernel version number is reported. Under
 Windows, the OS version number seems to reflect only major releases, like
 Windows 2000 or Windows XP.


 = Security and privacy implications =

 Disclosing so much information about your system is a security exposure.
 It can facilitate, for example, a) spreading Pidgin worms, b) conducting a
 targeted attack without being noticed, or c) OS version scanning behind
 firewalls.

 You might also oppose to sharing information about your operating system
 and IM client with your buddies.


 == Sample attack schemes ==

 Included here to scare you if you don't take security seriously or if you
 think that limiting it to authorized buddies is secure enough.

 === a) Spreading worms that exploit Pidgin (Gaim) vulnerabilities ===

 If the worm writer can remotely exploit one or more vulnerabilities in
 Pidgin, the ability to reliably detect the version and platform of the
 peers comes in handy. Instead of crashing some clients or being noticed by
 their users, the worm will be able to infect all vulnerable clients
 without making noise. Because the worm infects users' clients, it will be
 already authorized by most of its next victims.

 === b) Targeted attack without leaving lots of traces ===

 If Eve is not yet authorized by you, she first tricks you into authorizing
 her by being or pretending somebody you are interested to communicate
 with. Using this Pidgin exposure, she learns what hardware you have and
 what OS you are running. From that information she may be able to deduce
 your GNU/Linux distribution and the versions of other programs that often
 come with your kernel. To perform her real attack, she uses an exploit
 that is known to work against the exact version of Pidgin, the kernel, or
 other software that you are running. As in the worm example, Eve could
 succeed from the first shot, thus leaving much less traces for your
 intrusion detection system to notice. If she didn't know the version
 numbers, she'd have to try her exploits one by one, making more noise and
 increasing your chance to detect her intrusion attempts.

 === c) OS version scanning behind firewalls ===

 First, Trudy collects a list of interesting users from multiple sources on
 the web, from a directory of an organization's employees, and so on. Her
 XMPP bot goes over the list of users tricking them into authorizing it
 and, if they are running Pidgin, recording their OS details. To find out
 the IP of each user, the bot or Trudy herself can have the user send a
 file or an email to them. If there is no smart proxy in the way, the
 sender's IP will be known from the direct file transfer to Trudy's host or
 from the Received mail headers. Now Trudy can use the version information
 obtained to find hosts with known vulnerabilities and mount further
 attacks... Windows versions of Pidgin are immune to this kind of attack as
 they don't report exact version numbers of the OS components.


 = To reproduce the problem: =

 1. Open Pidgin and log in to your Jabber account. (If you don't have one,
 you can register at jabber.org or gmail.com, among others.) This client
 will be the "victim" of information disclosure.

 2. Open any XMPP-capable client (or maybe just another copy of Pidgin in a
 different session) and log in to another Jabber account. This client will
 be the "attacker".

 3. Add your victim account to the buddy list of the attacker.

 4. Authorize the attacker from the victim client.

 5. In your attacker client, examine the victim's user information. In
 Pidgin (Gaim) you can right-click an entry in the buddy list and select
 Get Info.

 6. The version number of the victim's Pidgin and operating system appear.
 In Pidgin, they are listed under Client and Operating System like this:

   Client: gaim 2.0.0beta6[[BR]]
   Operating System: Linux 2.6.20-16-generic i686


 = Fix =

 The most safe default that still provides intended functionality would be
 reporting "Pidgin" as the client name and "Windows", "FreeBSD", "Linux",
 "Mac OS" as the operating system. I wonder though why should an instant
 messaging client silently report my operating system to anyone with whom I
 like to chat.

 At the very least, the exact version number of Pidgin and the OS kernel
 (under non-Windows systems) shouldn't be reported. They can be cut off to
 their major versions, like Pidgin 2, Windows XP, Linux 2.6.

 If there is a configuration option to set what versions Pidgin reports
 (without rebuilding it from source), please let me know.


 = Other protocols =

 I have not looked into other instant messaging protocols that Pidgin
 supports. There may be similar exposures in them.


  -- Alexander Konovalenko

-- 
Ticket URL: <http://developer.pidgin.im/ticket/2264>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list