Talos Vulnerability Report

TALOS-2016-0120

Pidgin MXIT get_utf8_string Code Execution Vulnerability

June 21, 2016

Report ID

CVE-2016-2378

Description

A buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.

CVSS v3 Score

8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tested Versions

Pidgin 2.10.11

Product URLs

https://www.pidgin.im/

Details

The function get_utf8_string, defined at line 231 in libpurple/protocols/mxit/chunk.c will take a maximum string length as argument. Usually this is passed in as the size of the string str that is being written to.

It will read the length of the string at line 238 and check to ensure that it is not larger than the maximum string length at line 240. If it is, it will set the length to be equal to maxstrlen.

238	pos += get_int16( &chunkdata[pos], &len );
239
240	if ( len > maxstrlen ) {
	…
243   skip = len - maxstrlen;
244	len = maxstrlen;
245	}

However, len is a signed short that will be read from nthos, which will read an unsigned integer, but because len is signed it will be cast to a signed integer. If the value of len is a large positive value it will be cast to a negative value, bypassing the size check at line 240.

The call to get_data at line 248 will then result in a buffer overflow:

248	pos += get_data( &chunkdata[pos], str, len );

The function get_data will end up calling memcpy which expects an unsigned size parameter and will interpret a negative value as a large positive value.

Credit

Discovered by Yves Younan of Cisco Talos.

Timeline

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure