Talos Vulnerability Report

TALOS-2016-0120

Pidgin MXIT get_utf8_string Code Execution Vulnerability

June 21, 2016
CVE Number

CVE-2016-2378

DESCRIPTION

A buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability.

CVSSv3 SCORE

8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

TESTED VERSIONS

Pidgin 2.10.11

PRODUCT URLs

https://www.pidgin.im/

DETAILS

The function getutf8string, defined at line 231 in libpurple/protocols/mxit/chunk.c will take a maximum string length as argument. Usually this is passed in as the size of the string str that is being written to.

It will read the length of the string at line 238 and check to ensure that it is not larger than the maximum string length at line 240. If it is, it will set the length to be equal to maxstrlen.

238 pos += get_int16( &chunkdata[pos], &len );
239 
240 if ( len > maxstrlen ) {
    …
243   skip = len - maxstrlen;
244 len = maxstrlen;
245 }

However, len is a signed short that will be read from nthos, which will read an unsigned integer, but because len is signed it will be cast to a signed integer. If the value of len is a large positive value it will be cast to a negative value, bypassing the size check at line 240.

The call to getdata at line 248 will then result in a buffer overflow: 248 pos += getdata( &chunkdata[pos], str, len );

The function get_data will end up calling memcpy which expects an unsigned size parameter and will interpret a negative value as a large positive value.

TIMELINE

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure

Credit

Discovered by Yves Younan of Cisco Talos.