Gaim Quoted Printable Decoder Overflows

2004-01-27T02:50:42
ID OSVDB:3736
Type osvdb
Reporter OSVDB
Modified 2004-01-27T02:50:42

Description

Vulnerability Description

A remote overflow exists in GAIM Instant Messager client. GAIM fails to address malformed input resulting in a heap overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.

Technical Description

When the MIME decoder decosed a quoted printable encoded string for email notification 2 different kind of overflows can be triggered.

Affected version: 0.75 (only) File: gaim/src/util.c Function: quotedp_decode() Code:

  void
  gaim_quotedp_decode(const char *str, char **ret_str, int ...
  {
     char *p, *n, *new;

     n = new = g_malloc(strlen (str) + 1);

     for (p = (char *)str; *p; p++, n++) {
        if (*p == '=') {
           sscanf(p + 1, "%2x\n", (int *)n); <-------- [08]
           p += 2;  <--------------------------------- [09]
        }
        else if (*p == '_')
                *n = ' ';
             else
                *n = *p;
    }

    *n = '\0';
    ...

The way sscanf is used, it will always write 4 bytes to the allocated buffer. The author did not see the possibility of malformed input like "\1" (the backslash is only a backslash) it is possible to write 1-2 zero bytes over the buffer boundaries. On linux this is exploitable like any heap off by one into the malloc() chunks. The second vulnerability is that no matter how many bytes sscanf() consumes it always increases the pointer with assumed 4 bytes. This can result in overjumping the terminating zero byte and with special prepared memory after the string it is possible to overwrite the heap with an arbitrary amount of bytes.

Solution Description

Upgrade to version 0.76 when available. The FreeBSD security team has released an unoffcial patch which also corrects this vulnerability.

Short Description

A remote overflow exists in GAIM Instant Messager client. GAIM fails to address malformed input resulting in a heap overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.

References:

Vendor Specific Advisory URL Secunia Advisory ID:10705 Related OSVDB ID: 3731 Related OSVDB ID: 3733 Related OSVDB ID: 3735 Related OSVDB ID: 3730 Related OSVDB ID: 3732 Related OSVDB ID: 3734 Other Solution URL: http://security.e-matters.de/patches/gaim-0.75-fix.diff Other Advisory URL: http://security.e-matters.de/advisories/012004.html ISS X-Force ID: 14942 CVE-2004-0005