[Full-disclosure] Gaim 1.2.1 -- PoC Stack Overflow

Type securityvulns
Reporter Securityvulns
Modified 2005-05-14T00:00:00


Product: Gaim Version: 1.2.1 Remote: Yes Effect: DoS, potential arbitrary code execution Date: May 13, 2005

I was looking at the stack overflow reported in Gaim 1.2.1. It's actually pretty trivial to find. The line that contains it looks like this:

strcpy(url_buf, gurl_buf->str);

url_buf is a 8192-byte buffer, and gurl_buf->str is an email address that is being displayed (user controlled).

The difficulty in writing a real exploit is that the input is sanitized, so any character over 128, as well as ' ', ',', '\n', '<', and others are stripped away. This doesn't leave much to play with, although I'm still confident that it would be possible to write an exploit under these conditions. I just don't have the motivation to do it :)

Another difficulty is that most chat protocols limit you to a reasonable message size, and 8192 is typically well above that size. So even if you could successfully create an exploit, you would still have to do it on a chat protocol that allows very long messages.

The final difficulty is that you also process the URL locally, when you send it, but that's not really a big deal. It would be trivial to filter it out in a plugin to make sure you don't crash yourself.

For this example, I just threw together a quik plugin which sends a 10002-character email address when the user types "/vuln". Gaim crashes at the address 0x41414141.

(gdb) run Starting program: /usr/local/bin/gaim [Thread debugging using libthread_db enabled] [New Thread 16384 (LWP 24908)]

Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 24908)] 0x41414141 in ?? ()

So in a real situation, this can be done. It's just difficult.

If anybody is actually able to use this for anything, please let me know. I'd be interested how this can be exploited.