Lucene search

RootSSV:96746

HistoryOct 19, 2017 - 12:00 a.m.

Pidgin MXIT Extended Profiles Code Execution Vulnerability(CVE-2016-2371)

2017-10-1900:00:00

Root

www.seebug.org

0.004 Low

EPSS

Percentile

74.7%

JSON

DESCRIPTION

An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution.

CVSSv3 SCORE

8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

TESTED VERSIONS

Pidgin 2.10.11

PRODUCT URLs

https://www.pidgin.im/

DETAILS

The function mxitparsecmd_extprofile() is called when extended profile packets are received from the server. At line 1837 it will read the number of attributes that were sent by the server into the variable count.
1837 count = atoi( records[0]->fields[1]->data );

This value is subsequently used as the bounds for a loop at line 1839 and used to calculate the index into an array at line 1843 and that value is subsequently used to access values in the array at lines 1845-1847.

1839    for ( i = 0; i &lt; count; i++ ) {
            char* fname;
            char* fvalue;
            char* fstatus;
1843        int f = ( i * 3 ) + 2;

            fname = records[0]-&gt;fields[f]-&gt;data;        /* field name */
            fvalue = records[0]-&gt;fields[f + 1]-&gt;data;   /* field value */
1847        fstatus = records[0]-&gt;fields[f + 2]-&gt;data;  /* field status */

The index is also used to write to an array at lines 1859-1860 potentially causing an out-of-bounds write.

1859    fvalue[10] = '\0';
        records[0]-&gt;fields[f + 1]-&gt;len = 10;

TIMELINE

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure

0.004 Low

EPSS

Percentile

74.7%

JSON

Related for SSV:96746