xorl %eax, %eax

Pidgin MSN-SLP Emoticon Directory Traversal

leave a comment »

This is an awesome vulnerability discovered and disclosed by Fabian Yamaguchi (aka. fabs) on his presentation “cat /proc/sys/net/ipv4/fuckups” at 26c3. The vulnerability affects both pidgin and Adium IM clients. Here is the buggy code as seen in 2.6.4 release of pidgin.

static void
got_sessionreq(MsnSlpCall *slpcall, const char *branch,
			   const char *euf_guid, const char *context)
{
	gboolean accepted = FALSE;

	if (!strcmp(euf_guid, MSN_OBJ_GUID))
	{
		/* Emoticon or UserDisplay */
		char *content;
		gsize len;
		MsnSlpLink *slplink;
		MsnSlpMessage *slpmsg;
		MsnObject *obj;
		char *msnobj_data;
		PurpleStoredImage *img;
		int type;

		/* Send Ok */
     ...
		msnobj_data = (char *)purple_base64_decode(context, &len);
		obj = msn_object_new_from_string(msnobj_data);
		type = msn_object_get_type(obj);
		g_free(msnobj_data);
     ...
		if (type == MSN_OBJECT_EMOTICON) {
			char *path;
			path = g_build_filename(purple_smileys_get_storing_dir(),
					obj->location, NULL);
			img = purple_imgstore_new_from_file(path);
			g_free(path);
    ...
		msn_slpmsg_set_image(slpmsg, img);
		msn_slplink_queue_slpmsg(slplink, slpmsg);
		purple_imgstore_unref(img);

		accepted = TRUE;
	}
    ...
}

This code was taken from libpurple/protocols/msn/slp.c and as you can read, it will first decode the Base64 encoded context and store it in ‘msnobj_data’, it will use this pointer passed to msn_object_new_from_string() to retrieve the ‘MsnObject’ structure. This type is defined at libpurple/protocols/msn/slp.h and it includes:

typedef struct
{
	gboolean local;

	char *creator;
	int size;
	MsnObjectType type;
	PurpleStoredImage *img;
	char *location;
	char *friendly;
	char *sha1d;
	char *sha1c;

} MsnObject;

You should be getting the idea by now… Back to got_sessionreq(), if the type of the previously received object (retrieved using msn_object_get_type()) is that of MSN_OBJECT_EMOTICON which means that it’s an emoticon. It will invoke g_build_filename() to build the filename based on pidgin’s default directory for emoticons, retrieved through purple_smileys_get_storing_dir() and the user controlled ‘obj->location’. Using this, a remote user could create an MSN request for an emoticon with a location of, for example “../../.bashrc” as fabs did in his presentation and thus, receive arbitrary files of the system.
Back to the code, you can see that it later uses purple_imgstore_new_from_file() to store the contents of the new file and at last, msn_slpmsg_set_image() to set the image and queue it using msn_slplink_queue_slpmsg().
A really interesting vulnerability which is more of a protocol level as fabs pointed out. Quite awesome

Written by xorl

January 1, 2010 at 06:28

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s