Talos Vulnerability Report

TALOS-2016-0119

Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability

June 21, 2016
CVE Number

CVE-2016-2377

DESCRIPTION

A buffer vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out of bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability.

CVSSv3 SCORE

8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

TESTED VERSIONS

Pidgin 2.10.11

PRODUCT URLs

https://www.pidgin.im/

DETAILS

When receiving a reply to a HTTP request from the HTTP server the callback function mxit_cb_http_read(), defined in mxit/http.c, will be called.

This function will parse the HTTP headers and then send the body off for processing as a regular MXIT packet. As part of HTTP header parsing that occurs, the CONTENT_LENGTH is read from the headers at lines 178-185:

178		ch += strlen( HTTP_CONTENT_LEN );
		tmp = strchr( ch, '\r' );
		if ( !tmp ) {
purple_debug_error( MXIT_PLUGIN_ID, "Received bad HTTP reply packet (ignoring packet)\n" );
			goto done;
		}
		tmp = g_strndup( ch, tmp - ch );
185		bodylen = atoi( tmp );

Bodylen is defined as a signed integer and thus the input read from the HTTP header could be negative. There is a size check at lines 189-192:

189		if ( buflen + bodylen >= CP_MAX_PACKET ) {
			/* this packet is way to big */
			goto done;
192		}

However this check will pass if bodylen is set to a negative value.

At line 206 bodylen is copied to the variable session->rx_i which is an unsigned integer, thus casting a potential negative bodylen to a large positive value.

206		session->rx_i = bodylen;

This value is then later used to control a loop when the packet is processed in the function mxit_parse_packet in mxit/procotol.c at line 2669:

2669		while ( i < session->rx_i ) {

The index i is subsequently used a multiple locations to write to the buffer rx_dbuf, including at lines 2713, 2720 and 2729. This could allow an attacker to execute a buffer overflow on the buffer rx_dbuf.

TIMELINE

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure

Credit

Discovered by Yves Younan of Cisco Talos.