Vulnerabilities > CVE-2011-2943 - Denial of Service and Security Bypass vulnerability in Pidgin Libpurple and Pidgin
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The irc_msg_who function in msgs.c in the IRC protocol plugin in libpurple 2.8.0 through 2.9.0 in Pidgin before 2.10.0 does not properly validate characters in nicknames, which allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted nickname that is not properly handled in a WHO response. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference'
Vulnerable Configurations
Nessus
NASL family Windows NASL id PIDGIN_2_10_0.NASL description The version of Pidgin installed on the remote host is earlier than 2.10.0. As such, it is potentially affected by the following issues : - A code execution vulnerability caused by clicking on a file:// URI received in an IM that Pidgin will attempt to execute. This can result in the execution of attacker-controlled code if the file is located on a network share. (CVE-2011-3185) - A denial of service in the IRC protocol plugin caused by processing a specially crafted nickname when listing the set of users. (CVE-2011-2943) - A denial of service in the MSN protocol plugin caused by incorrect handling of HTTP 100 responses. This only affects users who have enabled the HTTP connection method, which is disabled by default. (CVE-2011-3184) last seen 2020-06-01 modified 2020-06-02 plugin id 55928 published 2011-08-22 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55928 title Pidgin < 2.10.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55928); script_version("1.7"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2011-2943", "CVE-2011-3184", "CVE-2011-3185"); script_bugtraq_id(49268); script_name(english:"Pidgin < 2.10.0 Multiple Vulnerabilities"); script_summary(english:"Does a version check"); script_set_attribute( attribute:"synopsis", value: "An instant messaging client installed on the remote Windows host has multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The version of Pidgin installed on the remote host is earlier than 2.10.0. As such, it is potentially affected by the following issues : - A code execution vulnerability caused by clicking on a file:// URI received in an IM that Pidgin will attempt to execute. This can result in the execution of attacker-controlled code if the file is located on a network share. (CVE-2011-3185) - A denial of service in the IRC protocol plugin caused by processing a specially crafted nickname when listing the set of users. (CVE-2011-2943) - A denial of service in the MSN protocol plugin caused by incorrect handling of HTTP 100 responses. This only affects users who have enabled the HTTP connection method, which is disabled by default. (CVE-2011-3184)" ); script_set_attribute(attribute:"see_also",value:"https://www.insomniasec.com/home"); script_set_attribute(attribute:"see_also",value:"https://www.securityfocus.com/archive/1/519391/30/0/threaded"); script_set_attribute(attribute:"see_also",value:"http://pidgin.im/news/security/?id=53"); script_set_attribute(attribute:"see_also",value:"http://pidgin.im/news/security/?id=54"); script_set_attribute(attribute:"see_also",value:"http://pidgin.im/news/security/?id=55"); script_set_attribute( attribute:"solution", value:"Upgrade to Pidgin 2.10.0 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/20"); script_set_attribute(attribute:"patch_publication_date", value:"2011/08/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/22"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:pidgin:pidgin"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("pidgin_installed.nasl"); script_require_keys("SMB/Pidgin/Version"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("SMB/Pidgin/Version"); fixed_version = '2.10.0'; if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1) { path = get_kb_item_or_exit("SMB/Pidgin/Path"); port = get_kb_item("SMB/transport"); if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:port, extra:report); } else security_hole(port); } else exit(0, "Pidgin " + version + " is installed and hence not affected.");
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-132.NASL description Multiple vulnerabilities has been identified and fixed in pidgin : It was found that the gdk-pixbuf GIF image loader routine gdk_pixbuf__gif_image_load() did not properly handle certain return values from its subroutines. A remote attacker could provide a specially crafted GIF image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially initialized pixbuf structure. Using this structure, possibly containing a huge width and height, could lead to the application being terminated due to excessive memory use (CVE-2011-2485). Certain characters in the nicknames of IRC users can trigger a NULL pointer dereference in the IRC protocol plugin last seen 2020-06-01 modified 2020-06-02 plugin id 56109 published 2011-09-07 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56109 title Mandriva Linux Security Advisory : pidgin (MDVSA-2011:132-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2011:132. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(56109); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:32:54"); script_cve_id( "CVE-2011-2485", "CVE-2011-2943", "CVE-2011-3184" ); script_bugtraq_id( 48425, 49268 ); script_xref(name:"MDVSA", value:"2011:132"); script_xref(name:"MDVSA", value:"2011:132-1"); script_name(english:"Mandriva Linux Security Advisory : pidgin (MDVSA-2011:132-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities has been identified and fixed in pidgin : It was found that the gdk-pixbuf GIF image loader routine gdk_pixbuf__gif_image_load() did not properly handle certain return values from its subroutines. A remote attacker could provide a specially crafted GIF image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially initialized pixbuf structure. Using this structure, possibly containing a huge width and height, could lead to the application being terminated due to excessive memory use (CVE-2011-2485). Certain characters in the nicknames of IRC users can trigger a NULL pointer dereference in the IRC protocol plugin's handling of responses to WHO requests. This can cause a crash on some operating systems. Clients based on libpurple 2.8.0 through 2.9.0 are affected (CVE-2011-2943). Incorrect handling of HTTP 100 responses in the MSN protocol plugin can cause the application to attempt to access memory that it does not have access to. This only affects users who have turned on the HTTP connection method for their accounts (it's off by default). This might only be triggerable by a malicious server and not a malicious peer. We believe remote code execution is not possible (CVE-2011-3184). This update provides pidgin 2.10.0, which is not vulnerable to these issues." ); script_set_attribute( attribute:"see_also", value:"http://pidgin.im/news/security/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:finch"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64finch0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64purple-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64purple0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libfinch0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpurple-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpurple0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:pidgin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:pidgin-bonjour"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:pidgin-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:pidgin-gevolution"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:pidgin-i18n"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:pidgin-meanwhile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:pidgin-perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:pidgin-plugins"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:pidgin-silc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:pidgin-tcl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2011"); script_set_attribute(attribute:"patch_publication_date", value:"2011/09/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/09/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2009.0", reference:"finch-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64finch0-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64purple-devel-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64purple0-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libfinch0-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libpurple-devel-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libpurple0-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"pidgin-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"pidgin-bonjour-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"pidgin-client-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"pidgin-gevolution-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"pidgin-i18n-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"pidgin-meanwhile-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"pidgin-perl-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"pidgin-plugins-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"pidgin-silc-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"pidgin-tcl-2.10.0-0.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"finch-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"x86_64", reference:"lib64finch0-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"x86_64", reference:"lib64purple-devel-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"x86_64", reference:"lib64purple0-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"i386", reference:"libfinch0-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"i386", reference:"libpurple-devel-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"i386", reference:"libpurple0-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"pidgin-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"pidgin-bonjour-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"pidgin-client-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"pidgin-gevolution-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"pidgin-i18n-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"pidgin-meanwhile-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"pidgin-perl-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"pidgin-plugins-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"pidgin-silc-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"pidgin-tcl-2.10.0-0.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"finch-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", cpu:"x86_64", reference:"lib64finch0-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", cpu:"x86_64", reference:"lib64purple-devel-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", cpu:"x86_64", reference:"lib64purple0-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", cpu:"i386", reference:"libfinch0-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", cpu:"i386", reference:"libpurple-devel-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", cpu:"i386", reference:"libpurple0-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"pidgin-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"pidgin-bonjour-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"pidgin-client-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"pidgin-gevolution-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"pidgin-i18n-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"pidgin-meanwhile-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"pidgin-perl-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"pidgin-plugins-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"pidgin-silc-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"pidgin-tcl-2.10.0-0.1-mdv2011.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Oval
accepted | 2013-09-30T04:00:47.251-04:00 | ||||
class | vulnerability | ||||
contributors |
| ||||
definition_extensions |
| ||||
description | The irc_msg_who function in msgs.c in the IRC protocol plugin in libpurple 2.8.0 through 2.9.0 in Pidgin before 2.10.0 does not properly validate characters in nicknames, which allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted nickname that is not properly handled in a WHO response. | ||||
family | windows | ||||
id | oval:org.mitre.oval:def:18005 | ||||
status | accepted | ||||
submitted | 2013-08-16T15:36:10.221-04:00 | ||||
title | The irc_msg_who function in msgs.c in the IRC protocol plugin in libpurple 2.8.0 through 2.9.0 in Pidgin before 2.10.0 does not properly validate characters in nicknames, which allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted nickname that is not properly handled in a WHO response | ||||
version | 4 |
Seebug
bulletinFamily | exploit |
description | Bugtraq ID: 49268 CVE ID:CVE-2011-2943 Pidgin是一款多协议即时通信软件。 Pidgin存在安全漏洞,允许恶意攻击者进行拒绝服务或任意代码执行攻击。 1)当处理昵称中包含特殊字符的WHO应答时IRC协议插件存在错误,可被利用触发空指针引用。 2)解析HTTP 100应答时MSN协议插件存在错误,可被利用使应用程序崩溃。 成功利用漏洞需要HTTP连接方法启用(默认禁用)并使用恶意服务器。 3)Pidgin支持IM会话中使用URL处理器,windows平台下直接把URL提交给ShellExecute API,并以当前用户运行。当通过file:// URL传递,放在WEBDAV/SMB共享上的恶意可执行文件可被装载并执行。 Pidgin 2.x 厂商解决方案 Pidgin 2.10.0已经修复此漏洞,建议用户下载使用: http://pidgin.im/ |
id | SSV:20895 |
last seen | 2017-11-19 |
modified | 2011-08-25 |
published | 2011-08-25 |
reporter | Root |
title | Pidgin拒绝服务和安全绕过漏洞 |
References
- http://developer.pidgin.im/viewmtn/revision/diff/5749f9193063800d27bef75c2388f6f9cc2f7f37/with/5c2dba4a7e2e76b76e7f472b88953a4316706d43/libpurple/protocols/irc/msgs.c
- http://developer.pidgin.im/viewmtn/revision/info/5c2dba4a7e2e76b76e7f472b88953a4316706d43
- http://pidgin.im/news/security/?id=53
- http://secunia.com/advisories/45663
- http://secunia.com/advisories/45916
- http://securitytracker.com/id?1025961
- http://www.openwall.com/lists/oss-security/2011/08/20/2
- http://www.openwall.com/lists/oss-security/2011/08/22/2
- http://www.securityfocus.com/bid/49268
- https://bugzilla.redhat.com/show_bug.cgi?id=722939
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69340
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18005