Talos Vulnerability Report

VRT-2014-0201

Pidgin libpurple MSN Message Parsing NULL Dereference Denial of Service Vulnerability

May 11, 2015

Description

A exploitable denial of service vulnerability exists in Pidgin''s implementation of the MSN Messenger protocol in the libpurple library. An attacker who can control the contents of a MSN message cause a string search function to return a NULL pointer which is later dereferenced without validation.

Tested Versions

Pidgin 2.10.7

Product URLs

http://www.pidgin.im/

Details

In file libpurple/protocols/msn/msg.c at line 199 in function msnmessageparsepayload(), the following code exists:

    if ((cur == '' '') || (cur == ''\t'')) {
                tokens = gstrsplit(g_strchug(*cur), "=\"", 2);
                key = tokens[0];
                value = tokens[1];

            /* The only one I care about is ''boundary'' (which is folded from
               the key ''Content-Type''), so only process that. */
            if (!strcmp(key, "boundary")) {
                char *end = strchr(value, ''\"'');
                *end = ''\0'';
        

If a message contains ''boundary = "value'' (i.e. without a closing quote) then the strchr function call at line 199 will return NULL. This NULL pointer is dereferenced on the following line, resulting in program termination.

Credit

Discovered by Yves Younan of Sourcefire VRT