Talos Vulnerability Report

TALOS-2016-0139

Pidgin MXIT Extended Profiles Code Execution Vulnerability

June 21, 2016
CVE Number

CVE-2016-2371

DESCRIPTION

An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.

CVSSv3 SCORE

8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

TESTED VERSIONS

Pidgin 2.10.11

PRODUCT URLs

https://www.pidgin.im/

DETAILS

The function mxitparsecmd_extprofile() is called when extended profile packets are received from the server. At line 1837 it will read the number of attributes that were sent by the server into the variable count.

1837    count = atoi( records[0]->fields[1]->data );

This value is subsequently used as the bounds for a loop at line 1839 and used to calculate the index into an array at line 1843 and that value is subsequently used to access values in the array at lines 1845-1847.

1839    for ( i = 0; i < count; i++ ) {
            char* fname;
            char* fvalue;
            char* fstatus;
1843        int f = ( i * 3 ) + 2;

            fname = records[0]->fields[f]->data;        /* field name */
            fvalue = records[0]->fields[f + 1]->data;   /* field value */
1847        fstatus = records[0]->fields[f + 2]->data;  /* field status */

The index is also used to write to an array at lines 1859-1860 potentially causing an out-of-bounds write.

1859    fvalue[10] = '\0';
        records[0]->fields[f + 1]->len = 10;

TIMELINE

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure

Credit

Discovered by Yves Younan of Cisco Talos.