xorl %eax, %eax

CVE-2010-3088: pidgin-knotify Remote Command Execution

with 3 comments

A vulnerability in Knotify for Pidgin in KDE 4 environment was reported to Gentoo bugzilla on 12 September 2010 by Matthias Petschick which I found pretty neat so I decided to write about it. The code below was taken from 0.2.1 release which is currently the latest release of this application. Here is the buggy code as seen in src/pidgin-knotify.c:

static void
notify(const gchar *title,
           const gchar *body)
{
        gchar *command = NULL;
        int result, timeout;

        timeout = purple_prefs_get_int("/plugins/knotify/notify_timeout");
        command = g_strdup_printf("kdialog --title '%s' --passivepopup '%s' %d",
 title, body, timeout);

        if (command != NULL) {
                        result = system(command);
                        g_free(command);
        }
}

This is the notify() routine which is really straightforward. As you can read, it’ll initially invoke purple_prefs_get_int() to retrieve the notify timeout value that is stored in ‘timeout’ signed integer. Then, g_strdup_printf() is used to create the shell command to be executed which is:

kdialog --title 'DIALOG TITLE' --passivepoppup 'MESSAGE' TIMEOUT-VALUE

And it will just use kdialog to create a pop-up window and notify the user. At last, if the previously merged string that was stored in ‘command’ string is NULL, it will do nothing. Otherwise, it will call system(3) passing the constructed string and then free the allocated space using g_free().
Obviously, as Matthias Petschick reported by receiving a message like:

;touch /tmp/vulnerable;

The command to be executed will result in:

kdialog --title 'DIALOG TITLE' --passivepoppup ';touch /tmp/vulnerable;' TIMEOUT-VALUE

And you can basically execute whatever you wish. Awesome vulnerability!
Now regarding the patching, Dror Levin of Gentoo will provide a patch to replace the system(3) call and use DBus routines instead as we can read in his comment.

Written by xorl

September 13, 2010 at 22:34

Posted in bugs

3 Responses

Subscribe to comments with RSS.

  1. ;touch /tmp/vulnerable;
    should be
    ‘;touch /tmp/vulnerable;’

    a simple ; wont break out of the ”

    cheers,

    smilingjim

    September 14, 2010 at 07:29

  2. The message needs to look like ‘;touch /tmp/foo;’ including the single quotes.
    Without the quotes it just displays the message ;)

    a3li

    September 14, 2010 at 07:40

  3. The system call would be fine IF and ONLY IF the strings were properly tested for certain types of strings and then escaped accordingly to assure that you don’t get a shell :) Sadly, I don’t think there is a good method available in the generic GObject or Glib APIs for that, so you’d essentially have to do the work yourself :(

    Gary Greene

    October 14, 2010 at 08:16


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s