Executive Summary

Summary
Title Libpurple buffer overflow vulnerability
Informations
Name VU#582244 First vendor Publication 2009-08-21
Vendor VU-CERT Last vendor Modification 2009-08-21
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#582244

Libpurple buffer overflow vulnerability

Overview

The Libpurple instant messenger library contains a vulnerability that may allow an attacker to execute arbitrary code.

I. Description

Libpurple is an instant messenger (IM) library that is used by various programs to connect to multiple networks. Libpurple contains a buffer overflow vulnerability that can be triggered by sending specially crafted MSNSLP messages to a program that is using an affected version of the library.

For more technical details, see CORE Advisory CORE-2009-0727.

II. Impact

An attacker may be able to execute arbitrary code or cause an IM program to crash.

III. Solution

Upgrade

Instant messenger programs may distribute Libpurple and will provide an updated version to their users as a security update. See the systems affected portion of this document for a partial list of affected IM clients. Users who compile Libpurple or IM programs should see the Libpurple site or their operating system vendor for updated software.

Restrict Access

The most likely attack vector for this issue would be via the MSN IM network. Administrators may be able to temporarily mitigate this issue by blocking access to the MSN IM network. This workaround is not likely to be totally effective.

Systems Affected

VendorStatusDate NotifiedDate Updated
PidginVulnerable2009-08-21

References


http://pidgin.im/news/security/?id=34
http://developer.pidgin.im/wiki/WhatIsLibpurple
http://www.coresecurity.com/content/libpurple-arbitrary-write#lref.4
http://msnpiki.msnfanatic.com/index.php/MSNC:MSNSLP
http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_500_Series_Firewall_with_software_version_6.x_in_order_to_block_the_MSN_messenger_with_the_access-list_command

Credit

Information from CORE Advisory CORE-2009-0727 was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:2009-08-18
Date First Published:2009-08-21
Date Last Updated:2009-08-21
CERT Advisory: 
CVE-ID(s):CVE-2009-2694
NVD-ID(s):CVE-2009-2694
US-CERT Technical Alerts: 
Metric:10.19
Document Revision:12

Original Source

Url : http://www.kb.cert.org/vuls/id/582244

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-399 Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10319
 
Oval ID: oval:org.mitre.oval:def:10319
Title: The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376.
Description: The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376.
Family: unix Class: vulnerability
Reference(s): CVE-2009-2694
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13849
 
Oval ID: oval:org.mitre.oval:def:13849
Title: USN-820-1 -- pidgin vulnerability
Description: Federico Muttis discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges.
Family: unix Class: patch
Reference(s): USN-820-1
CVE-2009-2694
Version: 5
Platform(s): Ubuntu 8.10
Ubuntu 8.04
Ubuntu 9.04
Product(s): pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22782
 
Oval ID: oval:org.mitre.oval:def:22782
Title: ELSA-2009:1218: pidgin security update (Critical)
Description: The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376.
Family: unix Class: patch
Reference(s): ELSA-2009:1218-01
CVE-2009-2694
Version: 6
Platform(s): Oracle Linux 5
Product(s): pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:29222
 
Oval ID: oval:org.mitre.oval:def:29222
Title: RHSA-2009:1218 -- pidgin security update (Critical)
Description: Updated pidgin packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. Federico Muttis of Core Security Technologies discovered a flaw in Pidgin's MSN protocol handler. If a user received a malicious MSN message, it was possible to execute arbitrary code with the permissions of the user running Pidgin. (CVE-2009-2694)
Family: unix Class: patch
Reference(s): RHSA-2009:1218
CESA-2009:1218-CentOS 5
CESA-2009:1218-CentOS 3
CVE-2009-2694
Version: 3
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 5
CentOS Linux 3
Product(s): pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6320
 
Oval ID: oval:org.mitre.oval:def:6320
Title: Pidgin before 2.5.9 allow denial of service via SLP (aka MSNSLP) messages
Description: The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376.
Family: windows Class: vulnerability
Reference(s): CVE-2009-2694
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Pidgin
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 18
Application 36

ExploitDB Exploits

id Description
2009-09-09 Pidgin MSN <= 2.5.8 Remote Code Execution Exploit

OpenVAS Exploits

Date Description
2011-08-09 Name : CentOS Update for finch CESA-2009:1218 centos5 i386
File : nvt/gb_CESA-2009_1218_finch_centos5_i386.nasl
2011-08-09 Name : CentOS Update for pidgin CESA-2009:1218 centos3 i386
File : nvt/gb_CESA-2009_1218_pidgin_centos3_i386.nasl
2010-05-28 Name : Fedora Update for pidgin FEDORA-2010-8523
File : nvt/gb_fedora_2010_8523_pidgin_fc11.nasl
2010-03-02 Name : Fedora Update for pidgin FEDORA-2010-1279
File : nvt/gb_fedora_2010_1279_pidgin_fc11.nasl
2010-03-02 Name : Fedora Update for pidgin FEDORA-2010-0429
File : nvt/gb_fedora_2010_0429_pidgin_fc11.nasl
2009-12-10 Name : Mandriva Security Advisory MDVSA-2009:321 (pidgin)
File : nvt/mdksa_2009_321.nasl
2009-10-27 Name : Fedora Core 11 FEDORA-2009-10662 (pidgin)
File : nvt/fcore_2009_10662.nasl
2009-10-27 Name : Fedora Core 10 FEDORA-2009-10702 (pidgin)
File : nvt/fcore_2009_10702.nasl
2009-10-27 Name : Gentoo Security Advisory GLSA 200910-02 (pidgin)
File : nvt/glsa_200910_02.nasl
2009-09-15 Name : Mandrake Security Advisory MDVSA-2009:230 (pidgin)
File : nvt/mdksa_2009_230.nasl
2009-09-02 Name : Ubuntu USN-820-1 (pidgin)
File : nvt/ubuntu_820_1.nasl
2009-09-02 Name : RedHat Security Advisory RHSA-2009:1218
File : nvt/RHSA_2009_1218.nasl
2009-09-02 Name : CentOS Security Advisory CESA-2009:1218 (pidgin)
File : nvt/ovcesa2009_1218.nasl
2009-09-02 Name : FreeBSD Ports: pidgin, libpurple, finch
File : nvt/freebsd_pidgin0.nasl
2009-09-02 Name : Fedora Core 11 FEDORA-2009-8874 (pidgin)
File : nvt/fcore_2009_8874.nasl
2009-09-02 Name : Fedora Core 10 FEDORA-2009-8826 (pidgin)
File : nvt/fcore_2009_8826.nasl
2009-09-02 Name : Fedora Core 11 FEDORA-2009-8804 (gupnp-igd)
File : nvt/fcore_2009_8804.nasl
2009-09-02 Name : Fedora Core 10 FEDORA-2009-8791 (pidgin)
File : nvt/fcore_2009_8791.nasl
2009-09-02 Name : Debian Security Advisory DSA 1870-1 (pidgin)
File : nvt/deb_1870_1.nasl
2009-08-26 Name : Pidgin MSN SLP Packets Denial Of Service Vulnerability (Linux)
File : nvt/secpod_pidgin_msnslp_dos_vuln_lin.nasl
2009-08-26 Name : Pidgin MSN SLP Packets Denial Of Service Vulnerability (Win)
File : nvt/secpod_pidgin_msnslp_dos_vuln_win.nasl
0000-00-00 Name : Slackware Advisory SSA:2009-231-02 pidgin
File : nvt/esoft_slk_ssa_2009_231_02.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
55246 Adium libpurple msn_slplink_process_msg() Function MSN SLP Message Handling R...

54647 Pidgin libpurple msn_slplink_process_msg() Function MSN SLP Message Handling ...

Pidgin MSN protocol handling library (libpurple) contains a flaw that may allow a malicious user to cause memory corruption. The issue is triggered when a specially crafted MSN SLP packet is sent. It is possible that the flaw may allow remote code execution resulting in a loss of integrity.

Snort® IPS/IDS

Date Description
2014-01-10 Pidgin MSN P2P message 64bit integer overflow attempt
RuleID : 15895 - Revision : 3 - Type : CHAT
2014-01-10 Pidgin MSNP2P message integer overflow attempt
RuleID : 14263 - Revision : 8 - Type : POLICY-SOCIAL

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-1218.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-1060.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20090818_pidgin_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-8523.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-1279.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-0429.nasl - Type : ACT_GATHER_INFO
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1870.nasl - Type : ACT_GATHER_INFO
2010-01-19 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-886-1.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-1060.nasl - Type : ACT_GATHER_INFO
2009-12-07 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-321.nasl - Type : ACT_GATHER_INFO
2009-10-23 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200910-02.nasl - Type : ACT_GATHER_INFO
2009-10-22 Name : The remote Fedora host is missing a security update.
File : fedora_2009-10662.nasl - Type : ACT_GATHER_INFO
2009-10-22 Name : The remote Fedora host is missing a security update.
File : fedora_2009-10702.nasl - Type : ACT_GATHER_INFO
2009-09-14 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-230.nasl - Type : ACT_GATHER_INFO
2009-08-24 Name : The remote Fedora host is missing a security update.
File : fedora_2009-8874.nasl - Type : ACT_GATHER_INFO
2009-08-24 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-820-1.nasl - Type : ACT_GATHER_INFO
2009-08-24 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_59e7af2d8db711de883b001e3300a30d.nasl - Type : ACT_GATHER_INFO
2009-08-24 Name : The remote Fedora host is missing a security update.
File : fedora_2009-8791.nasl - Type : ACT_GATHER_INFO
2009-08-24 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2009-8804.nasl - Type : ACT_GATHER_INFO
2009-08-24 Name : The remote Fedora host is missing a security update.
File : fedora_2009-8826.nasl - Type : ACT_GATHER_INFO
2009-08-20 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-1218.nasl - Type : ACT_GATHER_INFO
2009-08-20 Name : The remote host has an instant messaging client that is affected by a memory ...
File : pidgin_2_5_9.nasl - Type : ACT_GATHER_INFO
2009-08-20 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1218.nasl - Type : ACT_GATHER_INFO
2009-08-20 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2009-231-02.nasl - Type : ACT_GATHER_INFO
2009-05-23 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1060.nasl - Type : ACT_GATHER_INFO