lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <48D26DE7.7020403@secniche.org>
Date: Thu, 18 Sep 2008 20:34:07 +0530
From: Aditya K Sood <0kn0ck@...niche.org>
To: Quark IT - Hilton Travis <Hilton@...rkIT.com.au>
Cc: bugtraq@...urityfocus.com
Subject: Re: Pidgin IM Client Password Disclosure Vulnerability.

Quark IT - Hilton Travis wrote:
> The latest version of Pidgin - 2.5.1 - was released on 2008-08-31.  This
> must be an ancient version you've got here!
>
> --
>
> http://blog.hiltontravis.com/
>
> Regards,
>
> Hilton Travis                       Phone: +61 (0)7 3105 9101
> (Brisbane, Australia)               Phone: +61 (0)419 792 394
> Manager, Quark IT                   http://www.quarkit.com.au
>          Quark Group                http://www.quarkgroup.com.au
>
>      Microsoft SBSC PAL (Australia) http://www.sbscpal.com/
>
> War doesn't determine who is right.  War determines who is left.
>
> This document and any attachments are for the intended recipient 
>   only.  It may contain confidential, privileged or copyright 
>      material which must not be disclosed or distributed.
>
>                     Quark Group Pty. Ltd.
>       T/A Quark Automation, Quark AudioVisual, Quark IT
>
>   
>> -----Original Message-----
>> From: Aditya K Sood [mailto:0kn0ck@...niche.org]
>> Sent: Wednesday, 17 September 2008 10:41 PM
>> To: bugtraq@...urityfocus.com
>> Subject: Pidgin IM Client Password Disclosure Vulnerability.
>>
>> Pidgin IM Client Password Disclosure Vulnerability.
>>
>> *Version Affected:*
>> 0.7.10 Unicode / Previous version can be affected.
>>
>> *Release Date:*
>> 11 September 2008
>>
>> *About:*
>> Pidgin is a graphical modular messaging client based on libpurple
>>     
> which
>   
>> is capable
>> of connecting to AIM, MSN, Yahoo!, XMPP, ICQ, IRC, SILC, SIP/SIMPLE,
>> Novell GroupWise,
>> Lotus Sametime, Bonjour, Zephyr, MySpaceIM, Gadu-Gadu, and QQ all at
>> once. It is written using GTK+.
>>
>> *Description:*
>> The pidgin client inherits client side password disclosure
>> vulnerability. The credentials used to
>> connect to the required service i.e. username and password is not
>> encrypted properly. The credentials
>> can be extracted in clear text by dumping process memory of the live
>> pidgin process when a connection
>> is set. The vulnerability allows anyone with access to the client
>> system
>> to obtain the username and password.
>> Additionally, this vulnerability could also be exploited by fooling
>>     
> the
>   
>> user to execute malicious code which
>> would dump the memory of the process "pidgin.exe"..
>>
>> *Proof of Concept:*
>> http://evilfingers.com/advisory/pidgin_password_disc_vuln.pdf
>> http://secniche/advisory/pidgin_vul.pdf
>> * <cid:part1.02090307.09020405@...niche.org>*
>> *Links: *
>> http://secniche.org/advisory.html
>> http://evilfingers.com/advisory/index.php
>> *
>> Credit:*
>> Aditya K Sood
>>
>> *Disclaimer*
>> The information in the advisory is believed to be accurate at the time
>> of publishing based on currently
>> available information. Use of the information constitutes acceptance
>> for
>> use in an AS IS condition. There is
>> no representation or warranties, either express or implied by or with
>> respect to anything in this document,
>> and shall not be liable for a ny implied warranties of merchantability
>> or fitness for a particular purpose or for
>> any indirect special or consequential damages.
>>     
>
>   
Hi

I have tested the 2.5.1 version. The template was wrongly constructed in 
version number.

Any ways I have changed the things.

Thanks for mentioning the construct.

I appreciate that.

Regards

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ