Pidgin - OTR information leakage
Am Tuesday, 28. Feb 2012 im Topic 'Vulnerabilities'
Details
libpurple is an Instant Messaging (IM) library developed by the Pidgin project. It is used by a number of IM clients including Pidgin and Adium. libpurple-based clients support the OTR (“Off-the-Record”) protocol either natively or via a plugin. The OTR messaging protocol enables users to communicate securely over any IM network.
pidgin-otr-snooping.py is a proof-of-concept Python script that connects to DBUS and prints all messages received via Pidgin’s “ReceivedImMsg” and “WroteImMsg” signals. The example below shows messages transmitted during an OTR conversation:
user@host:~$ python pidgin-otr-snooping.py
sent 'hey' to user1@example.com
received 'ho' from user1@example.com
sent 'lets go!' to user1@example.com
An exploited application that connects to DBUS (or reuses an already established connection) to listen for private messages provides identical forensic evidence (logs) as any application that connects to DBUS for legitimate purposes. It is thus difficult to identify in-memory eavesdropping of this sort, especially in cases where there is no supportive evidence that might suggest it (offending process image, related traffic logs etc.).
Download pidgin-otr-snooping.py
http://census-labs.com/media/pidgin-otr-snooping.py.txt
by
Dimitris Glynos
libpurple is an Instant Messaging (IM) library developed by the Pidgin project. It is used by a number of IM clients including Pidgin and Adium. libpurple-based clients support the OTR (“Off-the-Record”) protocol either natively or via a plugin. The OTR messaging protocol enables users to communicate securely over any IM network.
pidgin-otr-snooping.py is a proof-of-concept Python script that connects to DBUS and prints all messages received via Pidgin’s “ReceivedImMsg” and “WroteImMsg” signals. The example below shows messages transmitted during an OTR conversation:
user@host:~$ python pidgin-otr-snooping.py
sent 'hey' to user1@example.com
received 'ho' from user1@example.com
sent 'lets go!' to user1@example.com
An exploited application that connects to DBUS (or reuses an already established connection) to listen for private messages provides identical forensic evidence (logs) as any application that connects to DBUS for legitimate purposes. It is thus difficult to identify in-memory eavesdropping of this sort, especially in cases where there is no supportive evidence that might suggest it (offending process image, related traffic logs etc.).
Download pidgin-otr-snooping.py
http://census-labs.com/media/pidgin-otr-snooping.py.txt
by
Dimitris Glynos