正文

Pidgin Libpurple库MSN-SLP表情符目录遍历漏洞

admin
admin V管理员 /0 评论 /10 阅读
0105
此篇文章发布距今已超过1265天,您需要注意文章的内容或图片是否可用!

漏洞信息详情

Pidgin Libpurple库MSN-SLP表情符目录遍历漏洞

  • CNNVD编号:CNNVD-201001-059
    • <!--
  • 危害等级: 中危-->
  • 危害等级: 中危
  • CVE编号: CVE-2010-0013
  • 漏洞类型: 路径遍历
  • 发布时间: 2009-12-29
  • 威胁类型: 远程
  • 更新时间: 2010-01-11
  • 厂        商: adium
  • 漏洞来源: Fabian Yamaguchi

漏洞简介

Pidgin是一款跨平台的实时通信客户端,它支持多个常用的实时通信协议,用户可用同一个软件登录不同的实时通信服务。 Pidgin的Libpurple库在实现自定义表情符功能时存在安全漏洞,远程攻击者可以通过提交包含有目录遍历序列的MSN表情符请求读取任意文件的内容。以下是libpurple/protocols/msn/slp.c中的有漏洞代码段: static void got_sessionreq(MsnSlpCall *slpcall, const char *branch, const char *euf_guid, const char *context) { gboolean accepted = FALSE; if (!strcmp(euf_guid, MSN_OBJ_GUID)) { /* Emoticon or UserDisplay */ char *content; gsize len; MsnSlpLink *slplink; MsnSlpMessage *slpmsg; MsnObject *obj; char *msnobj_data; PurpleStoredImage *img; int type; /* Send Ok */ ... msnobj_data = (char *)purple_base64_decode(context, &len); obj = msn_object_new_from_string(msnobj_data); type = msn_object_get_type(obj); g_free(msnobj_data); ... if (type == MSN_OBJECT_EMOTICON) { char *path; path = g_build_filename(purple_smileys_get_storing_dir(), obj->location, NULL); img = purple_imgstore_new_from_file(path); g_free(path); ... msn_slpmsg_set_image(slpmsg, img); msn_slplink_queue_slpmsg(slplink, slpmsg); purple_imgstore_unref(img); accepted = TRUE; } ... } 上述代码首先解码Base64编码的上下文然后存储到msnobj_data,之后会使用这个传送给msn_object_new_from_string()的指针检索MsnObject结构。这个类型是在libpurple/protocols/msn/slp.h中定义的,包含有: typedef struct { gboolean local; char *creator; int size; MsnObjectType type; PurpleStoredImage *img; char *location; char *friendly; char *sha1d; char *sha1c; } MsnObject; 在got_sessionreq()函数中,如果之前所接收到对象(使用msn_object_get_type()检索到)的类型为MSN_OBJECT_EMOTICON的类型,也就是为表情符,就会调用g_build_filename()基于pidgin的默认表情符目录构建文件名。由于其中使用了从purple_smileys_get_storing_dir()检索的内容和用户控制的obj->location,远程攻击者可以创建包含有目录遍历序列表情符的MSN请求从系统检索任意文件。

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接: Ubuntu Ubuntu Linux 9.10 sparc Ubuntu finch-dev_2.6.2-1ubuntu7.1_all.deb http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.6.2-1 ubuntu7.1_all.deb Ubuntu finch_2.6.2-1ubuntu7.1_sparc.deb http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.6.2-1ubuntu7.1_spar c.deb Ubuntu libpurple-bin_2.6.2-1ubuntu7.1_all.deb http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.6 .2-1ubuntu7.1_all.deb Ubuntu libpurple-dev_2.6.2-1ubuntu7.1_all.deb http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.6 .2-1ubuntu7.1_all.deb Ubuntu libpurple0_2.6.2-1ubuntu7.1_sparc.deb http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.6.2-1ubuntu7.1 _sparc.deb Ubuntu pidgin-data_2.6.2-1ubuntu7.1_all.deb http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.6.2 -1ubuntu7.1_all.deb Ubuntu pidgin-dbg_2.6.2-1ubuntu7.1_sparc.deb http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.6.2-1ubuntu7.1 _sparc.deb Ubuntu pidgin-dev_2.6.2-1ubuntu7.1_all.deb http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.6.2- 1ubuntu7.1_all.deb Ubuntu pidgin_2.6.2-1ubuntu7.1_sparc.deb http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.6.2-1ubuntu7.1_spa rc.deb Slackware Linux 12.0 Slackware pidgin-2.6.5-i486-1_slack12.0.tgz ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ pidgin-2.6.5-i486-1_slack12.0.tgz Slackware Linux -current Slackware pidgin-2.6.5-i486-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/ pidgin-2.6.5-i486-1.txz Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu finch-dev_2.4.1-1ubuntu2.8_all.deb http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.4.1-1 ubuntu2.8_all.deb

参考网址

来源: bugzilla.redhat.com 链接:https://bugzilla.redhat.com/show_bug.cgi?id=552483 来源: VUPEN 名称: ADV-2009-3663 链接:http://www.vupen.com/english/advisories/2009/3663 来源: VUPEN 名称: ADV-2009-3662 链接:http://www.vupen.com/english/advisories/2009/3662 来源: MLIST 名称: [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload 链接:http://www.openwall.com/lists/oss-security/2010/01/07/2 来源: MLIST 名称: [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload 链接:http://www.openwall.com/lists/oss-security/2010/01/07/1 来源: MLIST 名称: [oss-security] 20100102 CVE request - pidgin MSN arbitrary file upload 链接:http://www.openwall.com/lists/oss-security/2010/01/02/1 来源: SECUNIA 名称: 37954 链接:http://secunia.com/advisories/37954 来源: SECUNIA 名称: 37953 链接:http://secunia.com/advisories/37953 来源: MISC 链接:http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html 来源: developer.pidgin.im 链接:http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c 来源: d.pidgin.im 链接:http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810 来源: MISC 链接:http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f 来源: MISC 链接:http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467 来源:NSFOCUS 名称:14285 链接:http://www.nsfocus.net/vulndb/14285

受影响实体

  • Adium Adium:1.3.8  
    <!--
    2000-1-1
    -->

补丁

    暂无