Talos Vulnerability Report

TALOS-2016-0140

Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability

June 21, 2016
CVE Number

CVE-2016-2372

DESCRIPTION

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out of bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for a file transfer which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the file is sent to another user.

CVSSv3 SCORE

5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:H

TESTED VERSIONS

Pidgin 2.10.11

PRODUCT URLs

https://www.pidgin.im/

DETAILS

When a file transfer is received via the MXIT server, the server will send a CPCHUNKGET command. This will be handled by the function mxitparsecmd_media at lines 2195-2206 of mxit/protocol.c.

2195    case CP_CHUNK_GET :                 /* get file response */
        {
            struct getfile_chunk chunk;

            /* decode the chunked data */
            memset( &chunk, 0, sizeof( struct getfile_chunk ) );
2201        mxit_chunk_parse_get( &records[0]->fields[0]->data[sizeof( char ) + sizeof( int )], records[0]->fields[0]->len, &chunk );

            /* process the getfile */
2204        mxit_xfer_rx_file( session, chunk.fileid, chunk.data, chunk.length );
        }
2206    break;

At line 2201 it will call the function mxitchunkparseget which will read the size of the file (and some other information on the file) into the getfilechunk structure. This function is defined in the file mxit/chunk.c and the length is read at line 509:

509 pos += get_int32( &chunkdata[pos], &(getfile->length) );

After this function has parsed the information and returned, the function mxitxferrx_file will be called at line 2204.

This function is defined in the file mxit/filexfer.c, where at line 445 it will read from the received buffer into the file:

445 if ( fwrite( data, datalen, 1, xfer->dest_fp ) > 0 ) {

If the length of the chunk that was specified is longer than the buffer, it will result in an out-of-bounds read and the resulting data in memory will be written after the received file. Depending on the memory layout of the program at the time the vulnerability is triggered this could result in a scenario where either program crashes because pages are not accessible or where sensitive data is leaked from memory into the file. The user may decide to copy this file to other places or might send it to another user which would result in the leaking of this data.

TIMELINE

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure

Credit

Discovered by Yves Younan of Cisco Talos.