Talos Vulnerability Report

VRT-2013-1004

Pidgin libpurple SIP/SIMPLE Content-Length Integer Overflow Vulnerability

Jan 26, 2014

Description

An exploitable remote code execution vulnerability exists in Pidgin''s implementation of SIP/SIMPLE message handling. An attacker who can control the Content-Length of a SIP/SIMPLE message can cause an allocation to return NULL which can later be used to write into the lowest page of memory.

Tested Versions

Pidgin 2.10.7 (Windows only)

Product URLs

http://www.pidgin.im/

Details

In sipmsgparseheader() in file pidgin-2.10.7\libpurple\protocols\simple\sipmsg.c at line 114, the length of the message is read from an incoming message into an int:

 57       struct sipmsg *sipmsg_parse_header(const gchar *header) {
            ...
            164           tmp2 = sipmsg_find_header(msg, "Content-Length");
            115           if (tmp2 != NULL)
            116               msg->bodylen = strtol(tmp2, NULL, 10);
        

The above sipmsgparseheader is called from process_input() in file pidgin-2.10.7\libpurple\protocols\simple\simple.c at line 1631. If the message specifies a negative bodylen (-1), then restlen will be larger than bodylen, which means the if statement at line 1642 will be entered. The following allocation of bodylen + 1 evaluates to a size of zero:

1642           if(restlen >= msg->bodylen) {
            1643               dummy = g_malloc(msg->bodylen + 1);
            1644               memcpy(dummy, cur, msg->bodylen);
        

Unlike libc malloc, g_malloc returns NULL when it is called with a size of zero. As a result of that behavior, this ends up being a a write to the NULL page rather than the typical heap overflow. Writes to the zero page are exploitable if an attacker can cause enough allocations and exhaust enough of the memory address range to make the system map the low page.

Credit

Discovered by Sourcefire VRT