Talos Vulnerability Report

TALOS-2016-0137

Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability

June 21, 2016
CVE Number

CVE-2016-2369

DESCRIPTION

An NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability.

CVSS v3 SCORE

5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

TESTED VERSIONS

Pidgin 2.10.11

PRODUCT URLs

https://www.pidgin.im/

DETAILS

The function mxitparsepacket() in mxit/protocol.c is called when data is received from an MXIT server to parse the relevant stream of bytes into an MXIT packet.

When the packet is received, a new record is created in the packet to reflect the data (near line 2672):

rec = NULL;
field = NULL;
memset( &packet, 0x00, sizeof( struct rx_packet ) );
    rec = add_record( &packet );

The function add_record does the following:

static struct record* add_record( struct rx_packet* p )
{
    struct record*  rec;
    rec = g_new0( struct record, 1 );
    p->records = g_realloc( p->records, 
    sizeof( struct record* ) * ( p->rcount + 1 ) );
    p->records[p->rcount] = rec;
    p->rcount++;

    return rec;
}

This will create a record in the packet and increase the rcount variable by 1.

At lines 2679-2744 the packet is further analyzed and broken up into records and fields depending on if the separator being used is 0x0, 0x1 or 0x2.

The following code if of particular interest:

while ( ( i < session->rx_i ) && ( !pbreak ) ) {
    switch ( session->rx_dbuf[i] ) {
        case CP_SOCK_REC_TERM :
            /* new record */
            if ( packet.rcount == 1 ) {
                /* packet command */
                packet.cmd = atoi( packet.records[0]->fields[0]->data );
            }

The value CPSOCKREC_TERM indicates that the end of a record is reached and it will retrieve the command that the packet is sending. However, if the packet starts with a NULL byte then the fields value for the record will not have been initialized resulting in a crash when trying to dereference it at line 2686.

TIMELINE

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure

Credit

Discovered by Yves Younan of Cisco Talos.