CVE-2009-2694

Pidgin MSN 2.5.8 - Remote Code Execution

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376.

La función msn_slplink_process_msg en libpurple/protocols/msn/slplink.c en libpurple, tal como se usa en Pidgin (anteriormente Gaim) en versiones anteriores a la 2.5.9 y Adium 1.3.5 y versiones anteriores, permite a atacantes remotos ejecutar código de su elección o provocar una denegación de servicio (corrupción de memoria y caída de la aplicación) mediante el envío de múltiples mensajes SLP (alias MSNSLP) manipulados para disparar una sobreescritura de una zona de memoria de su elección. NOTA: esta vulnerabilidad reportada está causada por una reparación incompleta de CVE-2009-1376.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-08-05 CVE Reserved
2009-08-20 CVE Published
2009-09-09 First Exploit
2024-08-07 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-399: Resource Management Errors

CAPEC

References (21)

URL	Tag	Source
http://developer.pidgin.im/wiki/ChangeLog	X_refsource_confirm
http://secunia.com/advisories/36402	Third Party Advisory
http://secunia.com/advisories/36708	Third Party Advisory
http://secunia.com/advisories/37071	Third Party Advisory
http://www.vupen.com/english/advisories/2009/2663	Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10319	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6320	Signature

URL	Date	SRC
https://www.exploit-db.com/exploits/9615	2009-09-09
http://www.coresecurity.com/content/libpurple-arbitrary-write	2024-08-07
http://www.exploit-db.com/exploits/9615	2024-08-07

URL	Date	SRC
http://developer.pidgin.im/viewmtn/revision/info/6f7343166c673bf0496ecb1afec9b633c1d54a0e	2017-09-19
http://www.debian.org/security/2009/dsa-1870	2017-09-19

URL	Date	SRC
http://secunia.com/advisories/36384	2017-09-19
http://secunia.com/advisories/36392	2017-09-19
http://secunia.com/advisories/36401	2017-09-19
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266908-1	2017-09-19
http://www.pidgin.im/news/security/?id=34	2017-09-19
http://www.vupen.com/english/advisories/2009/2303	2017-09-19
https://bugzilla.redhat.com/show_bug.cgi?id=514957	2009-08-18
https://rhn.redhat.com/errata/RHSA-2009-1218.html	2017-09-19
https://access.redhat.com/security/cve/CVE-2009-2694	2009-08-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Adium Search vendor "Adium"		Adium Search vendor "Adium" for product "Adium"				<= 1.3.5 Search vendor "Adium" for product "Adium" and version " <= 1.3.5"		-		Affected
Adium Search vendor "Adium"		Adium Search vendor "Adium" for product "Adium"				1.2.7 Search vendor "Adium" for product "Adium" and version "1.2.7"		-		Affected
Adium Search vendor "Adium"		Adium Search vendor "Adium" for product "Adium"				1.3 Search vendor "Adium" for product "Adium" and version "1.3"		-		Affected
Adium Search vendor "Adium"		Adium Search vendor "Adium" for product "Adium"				1.3.1 Search vendor "Adium" for product "Adium" and version "1.3.1"		-		Affected
Adium Search vendor "Adium"		Adium Search vendor "Adium" for product "Adium"				1.3.2 Search vendor "Adium" for product "Adium" and version "1.3.2"		-		Affected
Adium Search vendor "Adium"		Adium Search vendor "Adium" for product "Adium"				1.3.3 Search vendor "Adium" for product "Adium" and version "1.3.3"		-		Affected
Adium Search vendor "Adium"		Adium Search vendor "Adium" for product "Adium"				1.3.4 Search vendor "Adium" for product "Adium" and version "1.3.4"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				<= 2.5.8 Search vendor "Pidgin" for product "Pidgin" and version " <= 2.5.8"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.0.0 Search vendor "Pidgin" for product "Pidgin" and version "2.0.0"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.0.1 Search vendor "Pidgin" for product "Pidgin" and version "2.0.1"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.0.2 Search vendor "Pidgin" for product "Pidgin" and version "2.0.2"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.1.0 Search vendor "Pidgin" for product "Pidgin" and version "2.1.0"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.1.1 Search vendor "Pidgin" for product "Pidgin" and version "2.1.1"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.2.0 Search vendor "Pidgin" for product "Pidgin" and version "2.2.0"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.2.1 Search vendor "Pidgin" for product "Pidgin" and version "2.2.1"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.2.2 Search vendor "Pidgin" for product "Pidgin" and version "2.2.2"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.3.0 Search vendor "Pidgin" for product "Pidgin" and version "2.3.0"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.3.1 Search vendor "Pidgin" for product "Pidgin" and version "2.3.1"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.4.0 Search vendor "Pidgin" for product "Pidgin" and version "2.4.0"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.4.1 Search vendor "Pidgin" for product "Pidgin" and version "2.4.1"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.4.2 Search vendor "Pidgin" for product "Pidgin" and version "2.4.2"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.4.3 Search vendor "Pidgin" for product "Pidgin" and version "2.4.3"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.5.0 Search vendor "Pidgin" for product "Pidgin" and version "2.5.0"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.5.1 Search vendor "Pidgin" for product "Pidgin" and version "2.5.1"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.5.2 Search vendor "Pidgin" for product "Pidgin" and version "2.5.2"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.5.3 Search vendor "Pidgin" for product "Pidgin" and version "2.5.3"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.5.4 Search vendor "Pidgin" for product "Pidgin" and version "2.5.4"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.5.6 Search vendor "Pidgin" for product "Pidgin" and version "2.5.6"		-		Affected
Pidgin Search vendor "Pidgin"		Pidgin Search vendor "Pidgin" for product "Pidgin"				2.5.7 Search vendor "Pidgin" for product "Pidgin" and version "2.5.7"		-		Affected