Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#15209 closed defect (duplicate)

Pidgin for Windows (2.10.6) - Missing DEP and ASLR

Reported by: noloader Owned by: rekkanoryo
Milestone: Component: winpidgin (gtk)
Version: 2.10.6 Keywords:
Cc: keystroke

Description (last modified by noloader)

Running BinScope? on the latest Pidgin for Windows shows pidgin.exe is missing some platform security features, such as DEP and ASLR.

Failed checks C:\Program Files (x86)\Pidgin\pidgin.exe - NXCheck ( FAIL )

Information : Image is not marked as NX compatible

C:\Program Files (x86)\Pidgin\pidgin.exe - SafeSEHCheck ( FAIL )

Information : No SAFESEH (LOAD_CONFIG absent)

C:\Program Files (x86)\Pidgin\pidgin.exe - DBCheck ( FAIL )

Information: Image is not marked as Dynamic Base compatible

Running the image with full defenses via EMET (http://support.microsoft.com/kb/2458544) produced no errors. I'm not a hardcore IM'er, and I did not try any of the available plugins.

To resolve the failed issues, the switches of interest for Visual Studio are: /GS, /SafeSEH, /NXCOMPAT, /dynamicbase. High risk source files, such as those which parse messages from unknown sources and the internet, should add "#pragma strict_gs_check(on)" to the source file.

For completeness, here are the switches for GCC: -fPIE and -pie (or -fPIC and -shared), -fstack-protector-all, -Wl,-z,noexecstack, -Wl,-z,noexecheap, -Wl,-z,relro, -Wl,-z,now. If Glibc is being used, the -DFORTIFY_SOURCES=2 should be used.

Buffer overflows and other security defects happen on occasssion, and things like ASLR and DEP will help mitigate the failure for folks using the program. The platform security measures can take a critical bug (for example, a message that results in remote code execution) and turn it into a non-critical defect (for example, a call to abort() due to a stack smash).

Attachments (2)

pidgin-2.10.6-win32-binscope.png (107.4 KB) - added by noloader 7 years ago.
BinScope? findings on Pidgin 2.10.6 (Win32)
pidgin-2.10.6-win32-emet.png (74.2 KB) - added by noloader 7 years ago.
Pidgin with Full Defense configured through EMET

Download all attachments as: .zip

Change History (7)

Changed 7 years ago by noloader

BinScope? findings on Pidgin 2.10.6 (Win32)

Changed 7 years ago by noloader

Pidgin with Full Defense configured through EMET

comment:1 Changed 7 years ago by noloader

  • Description modified (diff)

comment:2 in reply to: ↑ description Changed 7 years ago by noloader

Replying to noloader:

Running BinScope? on the latest Pidgin for Windows shows pidgin.exe is missing some platform security features, such as DEP and ASLR.

If the project needs an audit tool for Linux, I suggest Tobias Klein's CheckSec. CheckSec has a few minor shortcomings, but it will do until the BinUtil folks give us a tool like auditelf (in the spirit of readelf, etc). For example, CheckSec? will report an executable has a no-exec stack based on the presence of the GNU_PT_STACK header marking; where it should report based on GNU_PT_STACK *and* a 0 size.

comment:3 follow-up: Changed 6 years ago by keystroke

I just also noticed that Pidgin doesn't have ASLR turned on so I found this post. I have had it enabled with EMET for awhile but under Sysinternals Process Explorer it shows that ASLR is in fact NOT enabled. Could someone else using EMET please verify this for me? I'm not sure why this is the case.

comment:4 Changed 6 years ago by datallah

  • Component changed from unclassified to winpidgin (gtk)
  • Resolution set to duplicate
  • Status changed from new to closed

Closed as duplicate of #15290.

comment:5 in reply to: ↑ 3 Changed 6 years ago by noloader

Replying to keystroke:

I just also noticed that Pidgin doesn't have ASLR turned on so I found this post. I have had it enabled with EMET for awhile but under Sysinternals Process Explorer it shows that ASLR is in fact NOT enabled. Could someone else using EMET please verify this for me? I'm not sure why this is the case.

"ASLR mitigation not set on some applications," http://social.technet.microsoft.com/Forums/en-US/emet/thread/2208281f-ef4e-412d-ad7f-cd2f36404eb6/.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!