Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Rapid7 R7-0013: Gaim encryption plugin heap corruption

Rapid7 R7-0013: Gaim encryption plugin heap corruption

by Nikola Strahija on April 14th, 2003 A vulnerability has been found in Gaim's encryption plugin which, if exploited, could allow various attacks such as denial-of-service.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
Rapid7, Inc. Security Advisory

Visit http://www.rapid7.com/ to download NeXpose, the
world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0013
Heap Corruption in Gaim-Encryption Plugin

Published: April 11, 2003
Revision: 1.0
http://www.rapid7.com/advisories/R7-0013.html

CVE: CAN-2003-0163
Bugtraq ID: 7182

1. Affected system(s):

KNOWN VULNERABLE:
o gaim-encryption 1.15 and earlier

NOT VULNERABLE:
o gaim-encryption 1.16 and later

2. Summary

GAIM is a multi-protocol instant messaging client that is
compatible with AIM, ICQ, MSN Messenger, Jabber, and other
protocols. The Gaim-Encryption plugin provides transparent
message encryption between two users.

The Gaim-Encryption plugin does insufficient validation on the
message length parameter supplied by a remote user. This allows
an arbitrary heap location to be overwritten with a zero byte
and will also cause an unbounded read into the heap.

The most obvious impact of this vulnerability would be a denial
of service to the GAIM client. While this vulnerability is not
likely to be exploitable, exploitation cannot be ruled out.

Please note that Gaim-Encryption is not part of GAIM and is not
developed by GAIM.

3. Vendor status and information

William Tompkins
http://gaim-encryption.sourceforge.net/

The author was notified and a fixed version was released on
March 16th, 2003.

4. Solution

Upgrade to version 1.16 of the Gaim-Encryption plugin. Note that
while a patched version of 1.15 was released, some versions of
1.15 may still be vulnerable.

5. Detailed analysis

The decrypt_msg function is responsible for decrypting encrypted
GAIM messages. It reads the message length from a user-supplied
header using sscanf. While some bounds checking is performed, a
negative length is not properly handled. This causes the NUL
termination of the message string to place a zero byte in an
arbitrary location in memory rather than at the end of the string
where it belongs.

6. Contact Information

Rapid7 Security Advisories
Email: [email protected]
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700

8. Disclaimer and Copyright

Rapid7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.

This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPpcmgiT52JC2U8wAEQKc4ACfbhx2R3ogtcV71xymR/ExjqSckQIAoIxh
GuzV+92KF3r6hFJ3dTZGRFVs
=J9Hm
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »