___________________________________________________________________

 Insomnia Security Vulnerability Advisory: ISVA-110822.1
___________________________________________________________________

 Name: Pidgin IM Insecure URL Handling Remote Code Execution
 Reported: 21 July 2011
 
 Vendor Link:
    http://www.pidgin.im
 
 Affected Products:
    Pidgin Instant Messaging Client <= 2.9.0
     
 Original Advisory:
    http://www.insomniasec.com/advisories/ISVA-110822.1.htm
 
 Researcher:
    James Burton, Insomnia Security
    http://www.insomniasec.com
___________________________________________________________________


_______________

 Description
_______________

Pidgin is an open source instant messaging client that allows users
to log in to accounts on multiple chat networks simultaneously.

An insecure URL handling vulnerability exists in Pidgin <= 2.9.0
that can be exploited to cause remote code execution.

This vulnerability requires user interaction in the form of clicking
a malicious crafted URL.

_______________

 Details
_______________

Pidgin supports the use of URL handlers in IM sessions.  The Windows build
passes URLs directly to the ShellExecute API where they are executed under
the context of the user running the application.

When passed through a file:// URL a malicious executable can be hosted
and executed off a remote WEBDAV/SMB share.

This vulnerability requires user interaction in the form of clicking a
crafted URL but Pidgins Insert -> Link function gives the option of adding
a description which masks the underlying link. 

This makes the task of social engineering the target a trivial one.

This vulnerability has only been confirmed over Google-Talk though
exploitation over other chat networks may be possible.

_______________

 Solution
_______________

Upgrade to Pidgin 2.10.0 from http://www.pidgin.im/
The Pidgin changelog can be found http://developer.pidgin.im/wiki/ChangeLog

_______________

 Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

___________________________________________________________________
 
 Insomnia Security Vulnerability Advisory: ISVA-110822.1
___________________________________________________________________