Sourcefire Vulnerability Report VRT-2013-1003: Pidgin uses clickable links to untrusted executables

Description An exploitable remote code execution vulnerability exists in Pidgin's implementation of file:// URL handling. An attacker can supply a remote path which will be evaluated by ShellExecute and can be leveraged to execute arbitrary code. While the operating system (e.g., Windows) blocks execution of several file formats and provides a prompt to the user asking for permission, this can be bypassed by specifying alternate file types and we have achieved code execution using .jar files.  

Tested Versions Pidgin 2.10.7

Coverage SIDs 28089 and 28090

Details  An attacker can pass arbitrary paths to ShellExecute() when a user clicks on a URL delivered in any of the communication protocols supported by Pidgin on the Windows platform. If this URL specifies a file:// protocol handler, the URL will be executed by the shell.
 Pidgin attempts to filter file:// URLs and will try to execute them as an argument to the command "explorer.exe /select" in the function file_open_uri() in file pidgin-2.10.7\pidgin\gtkutils.c:
  3279     if (purple_str_has_prefix(uri, "file://"))  
3280     {
3281          gchar *escaped = g_shell_quote(uri);
3282          gchar *param = g_strconcat("/select,\"", uri, "\"", NULL);
3283          wchar_t *wc_param = g_utf8_to_utf16(param, -1, NULL, NULL, NULL);
3284
3285 code = (int)ShellExecuteW(NULL, L"OPEN", L"explorer.exe", wc_param, NULL, SW_NORMAL);
...
3290     } else {
3291          wchar_t *wc_filename = g_utf8_to_utf16(uri, -1, NULL, NULL, NULL);
3294          code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL, SW_SHOW);
 However, due to the way this function is called, a URL will never start with the file:// scheme. The following code shows how the function is called (also in gtkutils.c):
 3361  #define FILELINKSIZE  (sizeof("file://") - 1)
3362  static gboolean file_clicked_cb(GtkIMHtml *imhtml, GtkIMHtmlLink *link)
3364 {
3365      const char *uri = gtk_imhtml_link_get_url(link) + FILELINKSIZE;
3366      file_open_uri(imhtml, uri);
3367      return TRUE;
3368  }
 This strips out the file:// scheme from the URL before calling the file_open_uri() function, ensuring that the check at line 3279 will never be true (unless URL that starts with file://file:// is provided).
 When we tested Pidgin on Windows 7, for example, WebDAV paths ending in file extensions such a .exe and .bat were filtered by the OS. However, the user can simply supply a path to an unfiltered file type such as a Java .jar to have the user download and execute arbitrary code if they have the Java Runtime Environment installed. Note, this is just one example and other file formats can be used. It's also worth noting the attacker can also control the displayed string for the URL, so the true destination of a clicked URL can be obfuscated.