Talos Vulnerability Report

VRT-2014-0202

Pidgin libpurple STUN Response Length NULL Write Vulnerability

May 11, 2015

Description

A exploitable NULL write vulnerability exists in Pidgin''s implementation of the STUN protocol in the libpurple library. An attacker who can control the response to a STUN protocol packet can cause a network receive operation to return an undersized value, resulting in an out-of-bounds write of a NULL value.

Tested Versions

Pidgin 2.10.7

Product URLs

http://www.pidgin.im/

Details

An off by one exists in libpurple/stun.c at line 182 in the function reply_cb():

len = recv(source, buffer, sizeof(buffer) - 1, 0);
        if (!len) {
            purple_debug_warning("stun", "unable to read stun response\n");
            return;
        }
        buffer[len] = ''\0'';
        

If the attacker causes a network error during the STUN message reply, the recv function call will return -1. The check at line 178 will be bypassed and the negative index will be used on line 182, resulting in an out of bounds write of NULL.

Credit

Discovered by Yves Younan of Sourcefire VRT