-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now!
Rapid7 Advisory R7-0013 Heap Corruption in Gaim-Encryption Plugin
Published: April 11, 2003 Revision: 1.0 http://www.rapid7.com/advisories/R7-0013.html
CVE: CAN-2003-0163 Bugtraq ID: 7182
KNOWN VULNERABLE: o gaim-encryption 1.15 and earlier
NOT VULNERABLE: o gaim-encryption 1.16 and later
GAIM is a multi-protocol instant messaging client that is compatible with AIM, ICQ, MSN Messenger, Jabber, and other protocols. The Gaim-Encryption plugin provides transparent message encryption between two users.
The Gaim-Encryption plugin does insufficient validation on the message length parameter supplied by a remote user. This allows an arbitrary heap location to be overwritten with a zero byte and will also cause an unbounded read into the heap.
The most obvious impact of this vulnerability would be a denial of service to the GAIM client. While this vulnerability is not likely to be exploitable, exploitation cannot be ruled out.
Please note that Gaim-Encryption is not part of GAIM and is not developed by GAIM.
William Tompkins <bill AT icarion DOT com> http://gaim-encryption.sourceforge.net/
The author was notified and a fixed version was released on March 16th, 2003.
Upgrade to version 1.16 of the Gaim-Encryption plugin. Note that while a patched version of 1.15 was released, some versions of 1.15 may still be vulnerable.
The decrypt_msg function is responsible for decrypting encrypted GAIM messages. It reads the message length from a user-supplied header using sscanf. While some bounds checking is performed, a negative length is not properly handled. This causes the NUL termination of the message string to place a zero byte in an arbitrary location in memory rather than at the end of the string where it belongs.
Rapid7 Security Advisories Email: firstname.lastname@example.org Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700
Rapid7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.
This advisory Copyright (C) 2003 Rapid7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.
-----BEGIN PGP SIGNATURE----- Version: PGP 8.0
iQA/AwUBPpcmgiT52JC2U8wAEQKc4ACfbhx2R3ogtcV71xymR/ExjqSckQIAoIxh GuzV+92KF3r6hFJ3dTZGRFVs =J9Hm -----END PGP SIGNATURE-----