Talos Vulnerability Report

TALOS-2016-0135

Pidgin MXIT Avatar Length Memory Disclosure Vulnerability

June 21, 2016

Report ID

CVE-2016-2367

Description

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out of bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user.

CVSSv3 Score

5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Tested Versions

Pidgin 2.10.11

Product URLs

https://www.pidgin.im/

Details

When an avatar is received via the MXIT server, the server will send a CP_CHUNK_GET_AVATAR command. This will be handled by the function mxit_parse_cmd_media at lines 2208-2234 of mxit/protocol.c:

case CP_CHUNK_GET_AVATAR :			/* get avatars */
{
	struct getavatar_chunk chunk;
	struct contact* contact = NULL;
	/* decode the chunked data */
	memset( &chunk, 0, sizeof( struct getavatar_chunk ) );
	mxit_chunk_parse_get_avatar( &records[0]->fields[0]->data[sizeof( char ) + sizeof( int )], records[0]->fields[0]->len, &chunk );

	/* update avatar image */
	if ( chunk.data ) {
		purple_debug_info( MXIT_PLUGIN_ID, "updating avatar for contact '%s'\n", chunk.mxitid );

		contact = get_mxit_invite_contact( session, chunk.mxitid );

		if ( contact ) {
			/* this is an invite (add image to the internal image store) */
			contact->imgid = purple_imgstore_add_with_id( g_memdup( chunk.data, chunk.length ), chunk.length, NULL );

			/* show the profile */
			mxit_show_profile( session, chunk.mxitid, contact->profile );
		}
		else {
			/* this is a contact's avatar, so update it */
			purple_buddy_icons_set_for_user( session->acc, chunk.mxitid, g_memdup( chunk.data, chunk.length ), chunk.length, chunk.avatarid );
		}
	}
}

At line 2215 it will call the function mxit_chunk_parse_get_avatar() which will read the size of the chunk from the data at line 683 of mxit/chunk.c:

pos += get_int32( &chunkdata[pos], &(avatar->length) );

If the length of the chunk that was specified is longer than the buffer, it will result in an out-of-bounds read and the resulting data in memory will be written after the received avatar. Depending on the memory layout of the program at the time the vulnerability is triggered this could result in a scenario where either program crashes because pages are not accessible or where sensitive data is leaked from memory into the file. The user may decide to copy this avatar to other places or might send it to another user which would result in the leaking of this data.

Credit

Discovered by Yves Younan of Cisco Talos.

Timeline

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure