Talos Vulnerability Report

TALOS-2016-0123

Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability

June 21, 2016
CVE Number

CVE-2016-2380

DESCRIPTION

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out of bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read.

CVSSv3 SCORE

3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

TESTED VERSIONS

Pidgin 2.10.11

PRODUCT URLs

https://www.pidgin.im/

DETAILS

When a message is sent by Pidgin to the server, it has to convert the markup from libpurple (HTML-based) markup to MXIT markup. To do this, the function mxitconvertmarkup_tx defined in the file markup.c will be called. This function will copy the data from the old string message to the new string mx, converting it along the way.

However, at lines 1146-1154 it will convert the markup to change the font color without checking the length of the string that is remaining:

1146    else if ( purple_str_has_prefix( &message[i], "<font color=" ) ) {
            /* font colour */
            tag = g_new0( struct tag, 1 );
            tag->type = MXIT_TAG_COLOR;
            tagstack = g_list_append( tagstack, tag );
            memset( color, 0x00, sizeof( color ) );
            memcpy( color, &message[i + 13], 7 );
            g_string_append( mx, color );
1154    }

It will compare if the string starts with <font color= at the current position in the message at line 1146. If it does it will copy 7 bytes from 1 element past the end of =, presumably to skip over the # tag. However, if <font color= is at the end of the string then this will result in an out-of-bounds read of message. Since one byte after the end of the = will be skipped over, the NULL termination string will be skipped over, allowing the 7 bytes of data behind the string to be copied to the mx, which is the string that will be sent to the server.

TIMELINE

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure

Credit

Discovered by Yves Younan of Cisco Talos.