Talos Vulnerability Report

VRT-2014-0204

Pidgin libpurple Novell Protocol Multiple Denial of Service Vulnerabilities

Nov 6, 2014

Description

Several exploitable denial of service vulnerabilities exist in Pidgin''s implementation of the Novell protocol in the libpurple library. An attacker who can control the contents of an Novell protocol message can cause an out of memory condition by specifying an overly large size value for a memory allocation operation.

Tested Versions

Pidgin 2.10.7

Product URLs

http://www.pidgin.im/

Details

A denial of service condition exists in Pidgin when handling events in the Novell protocol. The vulnerability occurs in file pidgin-2.10.7\libpurple\protocols\novell\nmevent.c at lines 155, 170, 276, 285, 355, 407, 446, 496, 536, 595, 638, 676 and 837.

Below is a representative example from line 155:

rc = nm_read_uint32(conn, &size);
        if (size == MAX_UINT32) return NMERR_PROTOCOL;

        if (rc == NM_OK) {
            guid = g_new0(char, size + 1);
            rc = nm_read_all(conn, guid, size);
        }
        

While there is a check at line 154 to ensure that there is no integer overflow at line 155, an attacker can still specify a value of MAXUINT32-1, this will result in a gnew0 function call with the requested size of MAXUINT32. The gnew0 function will attempt to allocate this memory, resulting in an out of memory exception and termination of the program.

Credit

Discovered by Yves Younan and Richard Johnson Sourcefire VRT