lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F490CE2.6020308@census-labs.com>
Date: Sat, 25 Feb 2012 18:31:30 +0200
From: Dimitris Glynos <dimitris@...sus-labs.com>
To: bugtraq@...urityfocus.com
CC: full-disclosure@...ts.grok.org.uk
Subject: pidgin OTR information leakage

Pidgin transmits OTR (off-the-record) conversations over DBUS in
plaintext. This makes it possible for attackers that have gained
user-level access on a host, to listen in on private conversations
associated with the victim account.

Pidgin is a popular Instant Messenger application that runs on a wide
variety of platforms including Windows and Linux. The pidgin-otr plugin
enables users to communicate securely over any Instant Messenger network
using the “Off-the-record” messaging protocol.

If Pidgin is compiled with DBUS support and there is a DBUS session
daemon running on the system, then all messages that are typed into
Pidgin and messages received through Pidgin are broadcasted on DBUS. The
reasoning behind this is to allow for third party applications, such as
desktop widgets to process these messages (e.g. create an animation when
a message arrives). However, among the messages transmitted over DBUS
one also finds OTR conversations in plaintext form. This is a security
problem, as the private OTR messages may leak to other (unrelated)
processes that are executing with the Pidgin user’s rights.

A more detailed advisory and proof-of-concept script can be found here:
http://census-labs.com/news/2012/02/25/pidgin-otr-info-leak/

The Pidgin and pidgin-otr development teams have been contacted about
this issue and we anticipate a fix in a coordinated future release.

The Common Vulnerabilities and Exposures (CVE) project has
assigned candidate name CVE-2012-1257 to this issue.

Disclosure Timeline
-------------------
Vendor Contact(s): December 20th, 2011
CVE assignment:    February 21st, 2012
Public Disclosure: February 25th, 2012

Kind regards,

Dimitris Glynos
--
http://census-labs.com -- IT security research, development and services

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ