CVE-2004-2530

Vulnerability

Gadu-Gadu instant messenger contains a visual truncation vulnerability in the file transfer dialog. When a remote attacker sends a file with a filename consisting of a benign extension (e.g., .jpg) followed by a large number of spaces and then a malicious extension (e.g., .bat), the client truncates the displayed filename, showing only the benign extension. This affects all versions of Gadu-Gadu at the time of disclosure (2004) [1].

Exploitation

An attacker crafts a filename such as bartek2.jpg .bat and sends it via Gadu-Gadu. The file size is padded with junk data to match the size displayed for the benign extension (e.g., 228 kB). The recipient sees only the .jpg extension in the transfer dialog and may be tricked into opening the file. No authentication or special privileges are required; the attacker only needs to initiate a file transfer [1].

Impact

If the recipient opens the file, the system executes the file with the actual extension (e.g., .bat), leading to arbitrary code execution. The reference reports that 4 out of 5 test subjects opened the file, indicating a high success rate for social engineering [1].

Mitigation

No official patch or fixed version has been identified for this vulnerability. Users should exercise caution when receiving files via Gadu-Gadu, verify the full filename before opening, and consider using alternative instant messaging clients. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].