Talos Vulnerability Report
Pidgin MXIT Markup Command Denial of Service Vulnerability
June 21, 2016
A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.
When handling markup commands there are insufficient checks to validate that all required fields have been provided to successfully execute the command, potentially resulting in a null pointer dereference when trying to use those values.
When a command is received in a message, the function mxit_parse_command() is called. This function is defined at line 562 in the file mxit/formcmds.c.
This function excepts to find values in the key=value format and will insert these pairs into a hashtable:
hash = command_tokenize(start); /* break into <key,value> pairs */
It will then check what type of command it is dealing with and will call the appropriate function.
Two functions in particular will rely on key/value pairs that, if not defined, will cause a null pointer dereference.
The first function is command_imagestrip(), defined at line 383 in mxit/formcmds.c:
At lines 393-399 it will look up the values of the keys nm, v and dat:
/* image strip name */ name = g_hash_table_lookup(hash, "nm"); /* validator */ validator = g_hash_table_lookup(hash, "v"); /* image data */ tmp = g_hash_table_lookup(hash, "dat");
While there is a check at line 400 to ensure that tmp is not NULL, there are no similar checks for name and validator. This will cause a null pointer dereference when they are used at lines 419 and 420:
escname = g_strdup(purple_escape_filename(name)); escvalidator = g_strdup(purple_escape_filename(validator));
The keys fw, fh and layer have similar errors at lines 432-439:
tmp = g_hash_table_lookup(hash, "fw"); width = atoi(tmp); tmp = g_hash_table_lookup(hash, "fh"); height = atoi(tmp); tmp = g_hash_table_lookup(hash, "layer"); layer = atoi(tmp);
Similar errors also occur in the function command_table() defined in mxit/formcmds.c at lines 530-543:
tmp = g_hash_table_lookup(hash, "col"); nr_columns = atoi(tmp); /* number of rows */ tmp = g_hash_table_lookup(hash, "row"); nr_rows = atoi(tmp); /* mode */ tmp = g_hash_table_lookup(hash, "mode"); mode = atoi(tmp); /* table data */ tmp = g_hash_table_lookup(hash, "d"); coldata = g_strsplit(tmp, "~", 0);
If any of these key/value pairs are missing, a crash will ensue.
Discovered by Yves Younan of Cisco Talos.
2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure