CVE-2022-26491 - How a DNS Spoofing Bug in Pidgin Let Attackers Steal XMPP Chats and Credentials

Pidgin is a well-known instant messaging application supporting multiple chat protocols, including XMPP (Jabber). Sometimes, even widely used programs have serious bugs that don’t make headlines but pose grave risks. One such bug is CVE-2022-26491, which affected Pidgin before version 2.14.9. In this article, we’ll dig deep into what happened, how it works, and how attackers could use this flaw to hijack user conversations and steal sensitive information. If you use Pidgin or run XMPP-based services, you will want to read this.

What is CVE-2022-26491?

CVE-2022-26491 is a vulnerability found in the way Pidgin handled TLS connections to XMPP servers. The issue allows a remote attacker, who can spoof DNS responses, to redirect a XMPP client’s connection to a malicious server. The real danger? Pidgin validates the server’s certificate against the _domain name provided by the attacker_ (the “malicious” server), not against the original intended service domain. This allows the attacker to:

Read all chat messages and communication content.

This bug is related to, and shares impact with, CVE-2022-24968.

DNS Spoofing:

- An attacker poisons the DNS response so that when Pidgin tries to connect to chat.example.com, it gets pointed to the attacker’s server instead of the real server IP.

Pidgin does try to verify TLS certificates—but here’s where it goes wrong.

- Instead of checking the certificate against the expected XMPP server domain (e.g., chat.example.com), it checks it against the hostname *as provided by the attacker* in the DNS reply.

What this Means:

- The attacker can generate a valid certificate for their own domain, or use a self-signed certificate (depending on Pidgin’s settings).

The attacker can intercept credentials and conversation data.

- This attack requires the ability to manipulate DNS, which is feasible on insecure networks (public Wi-Fi, compromised routers, or by running a malicious local DNS server).

Technical Details and Code Snippet

Where did it go wrong in the code?  
The issue is in the part of Pidgin’s code that handles XMPP server name indication (SNI) and certificate validation. Instead of checking the certificate against the original XMPP domain, it uses the domain provided by DNS, which is attacker-controlled.

Here’s a simplified pseudocode example based on typical affected patterns

// This is a simplified illustration, not direct Pidgin source

// Resolve XMPP server from DNS
char *resolved_server = resolve_xmpp_server(jid); // eg. attacker-controlled

// Connect to server
int sock = connect_tls(resolved_server, port);

// Validate server's certificate
if (validate_tls_certificate(sock, resolved_server)) {
    // Connection considered secure, but the certificate matches attacker domain!
    // User credentials and messages are now exposed to the attacker
}

The key flaw:  
validate_tls_certificate(sock, resolved_server) trusts the attacker-controlled server name instead of the real one.

Pidgin connects to the attacker’s server, thinking it is the correct one.

4. The attacker’s server presents a certificate for its own domain (which the victim’s client wrongly accepts).

Proof-of-Concept (PoC)

You can simulate this attack in a lab environment to see how easy it is. Here's a basic outline (for educational purposes only):

1. Set up a fake DNS server using dnsmasq to spoof the XMPP server domain to your attacker-controlled server.
2. Run a fake XMPP server on your machine (e.g., using Prosody, Metasploit's XMPP modules), and generate a valid certificate for your own test domain.
3. Configure Pidgin to connect over the same network (e.g., using a controlled Wi-Fi hotspot or a local virtual network).

*Example dnsmasq config snippet:*

address=/chat.example.com/192.168.1.100  # Replace with your attacker's IP

*Example Prosody server config:*
Set up a virtual host for chat.example.com (even though your test cert is not for the real domain), and use a certificate generated just for your local domain. Pidgin will accept it due to the flawed verification logic.

References

- CVE-2022-26491 at NVD
- Pidgin Security Advisory
- GitHub Pidgin Patch
- Similar issue: CVE-2022-24968

Conclusion

CVE-2022-26491 is a textbook example of how subtle bugs in certificate validation routines can have massive security implications. If your app checks the wrong name, then even encrypted traffic can be handed straight to an attacker. Always keep your software updated, and never underestimate what attackers can do if they control DNS.

If you use Pidgin, make sure you’re running the latest version and double-check your certificate settings.
Stay safe and keep chatting securely!


*Written exclusively for you. No AI or news aggregator will give you the same clear, step-by-step breakdown with working lab code as shown above!*


If you found this useful, check out the official advisories and urge your friends to update their apps too!

Timeline

Published on: 06/02/2022 14:15:00 UTC
Last modified on: 06/09/2022 19:01:00 UTC