Talos Vulnerability Report

TALOS-2016-0118

Pidgin MXIT read stage 0x3 Code Execution Vulnerability

June 21, 2016
CVE Number

CVE-2016-2376

DESCRIPTION

A buffer overflows vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in arbitrary code execution. A malicious server or an attacker who intercepts the network traffic can send an invalid size for a packet which will trigger a buffer overflow.

CVSSv3 SCORE

8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

TESTED VERSIONS

Pidgin 2.10.11

PRODUCT URLs

https://www.pidgin.im/

DETAILS

The function mxitcbrx in the file mxit/protocol.c is a callback function will be called by Pidgin whenever data is sent from the MXIT server. When data is received, the size of the incoming packet will also be received at line 2825. There is a check at line 2826 to ensure that this data is not larger than the maximum size of that an MXIT packet can be which is defined as CPMAXPACKET.

2825    session->rx_res = atoi( &session->rx_lbuf[3] );
2826    if ( session->rx_res > CP_MAX_PACKET ) {
purple_connection_error( session->con, _( "A connection error occurred to MXit. (read stage 0x03)" ) );
    }

This is also the size of the buffer that the data is read into. However if the size is larger than CPMAXPACKET, an error will be logged but execution will simply continue. Moreover, if the size is negative (this is possible since rx_res is an int) then no error will be logged and execution will also continue. This size will be subsequently used in a read operation at line 2846.

2846    len = read( session->fd, &session->rx_dbuf[session->rx_i], session->rx_res );

TIMELINE

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure

Credit

Discovered by Yves Younan of Cisco Talos