Talos Vulnerability Report

TALOS-2016-0138

Pidgin MXIT Custom Resource Denial of Service Vulnerability

June 21, 2016
CVE Number

CVE-2016-2370

DESCRIPTION

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle can send invalid data to trigger this vulnerability.

CVSSv3 SCORE

5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

TESTED VERSIONS

Pidgin 2.10.11

PRODUCT URLs

https://www.pidgin.im/

DETAILS

The function mxitchunkparse_cr() in the file mxit/chunk.c is used to parse custom resources like a new splash image. These type of resources are sent as part of a multimedia packet.

At lines 573 the length of the chunk is read from the chunk being parsed without bounds checks. This chunk can contain one or more resource chuncks that are set at line 577. The size of the resource chunk is contained at the top of the chunk and again the size is read without bounds checks at lines 587 and 604:

573 pos += get_int32( &chunkdata[pos], &chunklen );

    /* parse the resource chunks */
    while ( chunklen > 0 ) {
577     gchar* chunk = &chunkdata[pos];

        /* start of chunk data */
        pos += MXIT_CHUNK_HEADER_SIZE;

582     switch ( chunk_type( chunk ) ) {
            case CP_CHUNK_SPLASH :          /* splash image */
                {
                    struct splash_chunk* splash = g_new0( struct splash_chunk, 1 );

587                 mxit_chunk_parse_splash( &chunkdata[pos], chunk_length( chunk ), splash );

                    cr->resources = g_list_append( cr->resources, splash );
                    break;
                }
            case CP_CHUNK_CLICK :           /* splash click */
                {
                    struct splash_click_chunk* click = g_new0( struct splash_click_chunk, 1 );

                    cr->resources = g_list_append( cr->resources, click );
                    break;
                }
            default:
                purple_debug_info( MXIT_PLUGIN_ID, "Unsupported custom resource chunk received (%i)\n", chunk_type( chunk) );
        }

        /* skip over data to next resource chunk */
604     pos += chunk_length( chunk );
        chunklen -= ( MXIT_CHUNK_HEADER_SIZE + chunk_length( chunk ) );

This length is then used to access data in the chunk at lines 582 and 587, resulting in an out-of-bounds read. This data is not sent back to the server, so it is unlikely to result in an information leak vulnerability, but could result in a denial of service when accessing the out-of-bounds memory if the accessed location is not an allocated memory region.

TIMELINE

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure

Credit

Discovered by Yves Younan of Cisco Talos.