Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#2264 closed defect (fixed)

Jabber: Client and OS version visible to authorized buddies

Reported by: alexkon Owned by:
Milestone: 2.2.1 Component: XMPP
Version: 2.0.2 Keywords: security, privacy
Cc:

Description

Summary

If you use XMPP (Jabber), Pidgin (formerly Gaim) discloses its exact version number, your operating system details and hardware architecture to the buddies whom you have authorized. I tested Pidgin 2.0.2 on Windows XP and Gaim 1:2.0.0+beta6-1ubuntu4 from Ubuntu 7.04 Feisty Fawn.

Under GNU/Linux, the precise kernel version number is reported. Under Windows, the OS version number seems to reflect only major releases, like Windows 2000 or Windows XP.

Security and privacy implications

Disclosing so much information about your system is a security exposure. It can facilitate, for example, a) spreading Pidgin worms, b) conducting a targeted attack without being noticed, or c) OS version scanning behind firewalls.

You might also oppose to sharing information about your operating system and IM client with your buddies.

Sample attack schemes

Included here to scare you if you don't take security seriously or if you think that limiting it to authorized buddies is secure enough.

a) Spreading worms that exploit Pidgin (Gaim) vulnerabilities

If the worm writer can remotely exploit one or more vulnerabilities in Pidgin, the ability to reliably detect the version and platform of the peers comes in handy. Instead of crashing some clients or being noticed by their users, the worm will be able to infect all vulnerable clients without making noise. Because the worm infects users' clients, it will be already authorized by most of its next victims.

b) Targeted attack without leaving lots of traces

If Eve is not yet authorized by you, she first tricks you into authorizing her by being or pretending somebody you are interested to communicate with. Using this Pidgin exposure, she learns what hardware you have and what OS you are running. From that information she may be able to deduce your GNU/Linux distribution and the versions of other programs that often come with your kernel. To perform her real attack, she uses an exploit that is known to work against the exact version of Pidgin, the kernel, or other software that you are running. As in the worm example, Eve could succeed from the first shot, thus leaving much less traces for your intrusion detection system to notice. If she didn't know the version numbers, she'd have to try her exploits one by one, making more noise and increasing your chance to detect her intrusion attempts.

c) OS version scanning behind firewalls

First, Trudy collects a list of interesting users from multiple sources on the web, from a directory of an organization's employees, and so on. Her XMPP bot goes over the list of users tricking them into authorizing it and, if they are running Pidgin, recording their OS details. To find out the IP of each user, the bot or Trudy herself can have the user send a file or an email to them. If there is no smart proxy in the way, the sender's IP will be known from the direct file transfer to Trudy's host or from the Received mail headers. Now Trudy can use the version information obtained to find hosts with known vulnerabilities and mount further attacks... Windows versions of Pidgin are immune to this kind of attack as they don't report exact version numbers of the OS components.

To reproduce the problem:

  1. Open Pidgin and log in to your Jabber account. (If you don't have one, you can register at jabber.org or gmail.com, among others.) This client will be the "victim" of information disclosure.
  1. Open any XMPP-capable client (or maybe just another copy of Pidgin in a different session) and log in to another Jabber account. This client will be the "attacker".
  1. Add your victim account to the buddy list of the attacker.
  1. Authorize the attacker from the victim client.
  1. In your attacker client, examine the victim's user information. In Pidgin (Gaim) you can right-click an entry in the buddy list and select Get Info.
  1. The version number of the victim's Pidgin and operating system appear. In Pidgin, they are listed under Client and Operating System like this:

Client: gaim 2.0.0beta6
Operating System: Linux 2.6.20-16-generic i686

Fix

The most safe default that still provides intended functionality would be reporting "Pidgin" as the client name and "Windows", "FreeBSD", "Linux", "Mac OS" as the operating system. I wonder though why should an instant messaging client silently report my operating system to anyone with whom I like to chat.

At the very least, the exact version number of Pidgin and the OS kernel (under non-Windows systems) shouldn't be reported. They can be cut off to their major versions, like Pidgin 2, Windows XP, Linux 2.6.

If there is a configuration option to set what versions Pidgin reports (without rebuilding it from source), please let me know.

Other protocols

I have not looked into other instant messaging protocols that Pidgin supports. There may be similar exposures in them.

-- Alexander Konovalenko

Change History (8)

comment:1 Changed 10 years ago by alexkon

This issue has been assigned CVE number CVE-2007-4002.

comment:2 follow-up: Changed 10 years ago by khc

  • Resolution set to invalid
  • Status changed from new to closed

d) the attacker can just try all the recent vulnerabilities, and see which one works

I don't see how this is a bug. Are you suggesting that if we hide that information, attackers would just give up?

Oh, and your CVE link is broken, and it doesn't seem like the number is valid.

comment:3 in reply to: ↑ 2 Changed 10 years ago by alexkon

Replying to khc:

d) the attacker can just try all the recent vulnerabilities, and see which one works

I don't see how this is a bug. Are you suggesting that if we hide that information, attackers would just give up?

Of course hiding the version doesn't protect from any remote vulnerabilities. I didn't say that it did. Hiding the version makes it harder to conceal the attacks.

Consider the worm example (a). If the version number of a client is not known, the worm has to guess which exploit to try. When it guesses wrong, the victim won't be infected, but the client attacked may crash or indicate that something is going wrong (by showing garbage to the user, for example). On the contrary, when the version number and the architecture are known, the worm can target its exploits perfectly and thus is going to stay unnoticed for a longer period of time.

From that point of view the examples might make more sense to you now.

Limiting the information disclosure to authorized users doesn't add much protection. A determined attacker can trick most users into authorizing him, and even a bot can do a good job of persuading people to authorize it. Worms don't have the problem of being authorized at all.


Oh, and your CVE link is broken, and it doesn't seem like the number is valid.

The CVE link works now, although there is no content there yet. I hastened to post a link before it was ready, sorry for that. If you would like to know when they are going to add a description and a link back to here on the CVE page, I can ask the editors. I guess their process is not fast, especially for minor issues such as this.


Please tell me if you still can't see the risk of reporting those system details to strangers.

comment:4 Changed 10 years ago by rlaager

  • Resolution invalid deleted
  • Status changed from closed to reopened

Why exactly is it useful to report this detailed information? If there's no use case for it, then I think removing it is a good idea.

comment:5 Changed 10 years ago by seanegan

  • Component changed from pidgin (gtk) to XMPP

comment:6 Changed 10 years ago by seanegan

  • Milestone set to 2.2.1
  • Resolution set to fixed
  • Status changed from reopened to closed

I've removed the OS field from this. Formally, it was a protocol-level option, defaulted to yes. Now, it'f #if0'ed out.

I've left the Client/Version? response in, as both are REQUIRED by the spec, and XEP-0115, which is a crucial capability-reporting protocol also reports client and version, so removing it here only doesn't afford much.

comment:7 Changed 10 years ago by schoen

What about just publishing »Linux« instead of »Linux 2.6.20-16-generic x86_64« and »Windows« instead of »MINGW_WinNT 11 i586«?

comment:8 Changed 10 years ago by seanegan

How would that be any better?

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!