Talos Vulnerability Report

VRT-2014-0205

Pidgin Theme/Smiley Untar Arbitrary File Write Vulnerability

Nov 6, 2014

Description

An exploitable remote code execution vulnerability exists in Pidgin''s implementation of the TAR archive parsing functionality. An attacker who can control the contents of a Theme or Smiley package can write arbitrary files to absolute paths on Windows.

Tested Versions

Pidgin 2.10.7

Product URLs

http://www.pidgin.im/

Details

When installing a new theme or smiley, Pidgin untars the archive file into the theme or smiley directory. On Linux, Pidgin executes the tar command with the -C argument to untar it into the specified directory. The Linux tar utility will refuse to untar a file with an absolute path unless passed the -P argument, which is not used by Pidgin, so files are contained within the specified directory. However, in Windows, Pidgin can not rely on the presense of the untar utility, so instead code is included to perform the untar operation. This code, unlike tar, does allow the specification of an absolute path in the tar file, resulting in the ability to write or overwrite any file allowed by the file system permissions for that user.

In themeinstalltheme() at line 698 in pidgin-2.10.7\pidgin\gtkprefs.c, the function winpidgingzuntar() is called witg options UNTAR_FORCE, meaning it will overwrite existing files.

At line 413 in pidgin-2.10.7\pidgin\win32\untar.c in the function untar_block() a check is performed to check if the path doesn''t start with a /

            if (!ABSPATH && (name == ''/'' || *name == ''\''))
                                didabs = 1;
        

A strip of leading slashes is performed on the next few lines:

            for (n2 = nbuf; *name; name++)
                            {
                                if (name == ''\'')
                                    name = ''/'';
                                if (name != ''/''
                                 || (ABSPATH && n2 == nbuf)
                                 || (n2 != nbuf && n2[-1] != ''/''))
                                    *n2++ = *name;
                            }
        

However, an absolute path in the form of "c:/path/file.ext" will bypass the absolute path checks and will still be considered a valid absolute path by g_fopen() which is called by the createpath() function during the untar operation.

Credit

Discovered by Yves Younan of Sourcefire VRT