Talos Vulnerability Report

TALOS-2016-0133

Pidgin MXIT Markup Command Denial of Service Vulnerability

June 21, 2016

Report ID

CVE-2016-2365

Description

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.

CVSSv3 Score

5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Tested Versions

Pidgin 2.10.11

Product URLs

https://www.pidgin.im/

Details

When handling markup commands there are insufficient checks to validate that all required fields have been provided to successfully execute the command, potentially resulting in a null pointer dereference when trying to use those values.

When a command is received in a message, the function mxit_parse_command() is called. This function is defined at line 562 in the file mxit/formcmds.c.

This function excepts to find values in the key=value format and will insert these pairs into a hashtable:

hash = command_tokenize(start);	/* break into <key,value> pairs */

It will then check what type of command it is dealing with and will call the appropriate function.

Two functions in particular will rely on key/value pairs that, if not defined, will cause a null pointer dereference.

The first function is command_imagestrip(), defined at line 383 in mxit/formcmds.c:

At lines 393-399 it will look up the values of the keys nm, v and dat:

/* image strip name */
name = g_hash_table_lookup(hash, "nm");

/* validator */
validator = g_hash_table_lookup(hash, "v");

/* image data */
tmp = g_hash_table_lookup(hash, "dat");

While there is a check at line 400 to ensure that tmp is not NULL, there are no similar checks for name and validator. This will cause a null pointer dereference when they are used at lines 419 and 420:

escname = g_strdup(purple_escape_filename(name));
escvalidator = g_strdup(purple_escape_filename(validator));

The keys fw, fh and layer have similar errors at lines 432-439:

tmp = g_hash_table_lookup(hash, "fw");
width = atoi(tmp);

tmp = g_hash_table_lookup(hash, "fh");
height = atoi(tmp);

tmp = g_hash_table_lookup(hash, "layer");
layer = atoi(tmp);

Similar errors also occur in the function command_table() defined in mxit/formcmds.c at lines 530-543:

tmp = g_hash_table_lookup(hash, "col");
nr_columns = atoi(tmp);

/* number of rows */
tmp = g_hash_table_lookup(hash, "row");
nr_rows = atoi(tmp);

/* mode */
tmp = g_hash_table_lookup(hash, "mode");
mode = atoi(tmp);

/* table data */
tmp = g_hash_table_lookup(hash, "d");
coldata = g_strsplit(tmp, "~", 0);

If any of these key/value pairs are missing, a crash will ensue.

Credit

Discovered by Yves Younan of Cisco Talos.

Timeline

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure