| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Sep 2008 20:34:07 +0530 From: Aditya K Sood <0kn0ck@...niche.org> To: Quark IT - Hilton Travis <Hilton@...rkIT.com.au> Cc: bugtraq@...urityfocus.com Subject: Re: Pidgin IM Client Password Disclosure Vulnerability. Quark IT - Hilton Travis wrote: > The latest version of Pidgin - 2.5.1 - was released on 2008-08-31. This > must be an ancient version you've got here! > > -- > > http://blog.hiltontravis.com/ > > Regards, > > Hilton Travis Phone: +61 (0)7 3105 9101 > (Brisbane, Australia) Phone: +61 (0)419 792 394 > Manager, Quark IT http://www.quarkit.com.au > Quark Group http://www.quarkgroup.com.au > > Microsoft SBSC PAL (Australia) http://www.sbscpal.com/ > > War doesn't determine who is right. War determines who is left. > > This document and any attachments are for the intended recipient > only. It may contain confidential, privileged or copyright > material which must not be disclosed or distributed. > > Quark Group Pty. Ltd. > T/A Quark Automation, Quark AudioVisual, Quark IT > > >> -----Original Message----- >> From: Aditya K Sood [mailto:0kn0ck@...niche.org] >> Sent: Wednesday, 17 September 2008 10:41 PM >> To: bugtraq@...urityfocus.com >> Subject: Pidgin IM Client Password Disclosure Vulnerability. >> >> Pidgin IM Client Password Disclosure Vulnerability. >> >> *Version Affected:* >> 0.7.10 Unicode / Previous version can be affected. >> >> *Release Date:* >> 11 September 2008 >> >> *About:* >> Pidgin is a graphical modular messaging client based on libpurple >> > which > >> is capable >> of connecting to AIM, MSN, Yahoo!, XMPP, ICQ, IRC, SILC, SIP/SIMPLE, >> Novell GroupWise, >> Lotus Sametime, Bonjour, Zephyr, MySpaceIM, Gadu-Gadu, and QQ all at >> once. It is written using GTK+. >> >> *Description:* >> The pidgin client inherits client side password disclosure >> vulnerability. The credentials used to >> connect to the required service i.e. username and password is not >> encrypted properly. The credentials >> can be extracted in clear text by dumping process memory of the live >> pidgin process when a connection >> is set. The vulnerability allows anyone with access to the client >> system >> to obtain the username and password. >> Additionally, this vulnerability could also be exploited by fooling >> > the > >> user to execute malicious code which >> would dump the memory of the process "pidgin.exe".. >> >> *Proof of Concept:* >> http://evilfingers.com/advisory/pidgin_password_disc_vuln.pdf >> http://secniche/advisory/pidgin_vul.pdf >> * <cid:part1.02090307.09020405@...niche.org>* >> *Links: * >> http://secniche.org/advisory.html >> http://evilfingers.com/advisory/index.php >> * >> Credit:* >> Aditya K Sood >> >> *Disclaimer* >> The information in the advisory is believed to be accurate at the time >> of publishing based on currently >> available information. Use of the information constitutes acceptance >> for >> use in an AS IS condition. There is >> no representation or warranties, either express or implied by or with >> respect to anything in this document, >> and shall not be liable for a ny implied warranties of merchantability >> or fitness for a particular purpose or for >> any indirect special or consequential damages. >> > > Hi I have tested the 2.5.1 version. The template was wrongly constructed in version number. Any ways I have changed the things. Thanks for mentioning the construct. I appreciate that. Regards
Powered by blists - more mailing lists