An exploitable remote code execution vulnerability exists in Pidgin’s implementation of HTTP URL handling. An attacker can supply a remote path which will be evaluated by ShellExecute and can be leveraged to execute arbitrary code. The program attempts to block execution of several file formats and provide a prompt to the user, however this simple filter can be bypassed by specifying alternate file types and we have achieved code execution using .jar files.
Pidgin 2.10.7 (Windows only)
An attacker can pass arbitrary paths to ShellExecute when a user clicks on a URL delivered in any of the communication protocols supported by Pidgin on the Windows platform. If this URL specifies a file:// protocol handler, the URL will be examined for file type to determine if the user should be prompted. When we tested Pidgin on Windows 7, for example, WebDAV paths ending in file extensions such a .exe and .bat were filtered. However, the user can simply supply a path to an unfiltered file type such as a Java .jar to have the user download and execute arbitrary code if they have the Java Runtime Environment installed. Note, this is just one example and other file formats can be used. It’s worth noting the attacker can also control the displayed string for the URL, so the true destination of a clicked URL may be obfuscated.