CVE-2016-2377
A buffer vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out of bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability.
8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Pidgin 2.10.11
https://www.pidgin.im/
When receiving a reply to a HTTP request from the HTTP server the callback function mxit_cb_http_read(), defined in mxit/http.c, will be called.
This function will parse the HTTP headers and then send the body off for processing as a regular MXIT packet. As part of HTTP header parsing that occurs, the CONTENT_LENGTH is read from the headers at lines 178-185:
178 ch += strlen( HTTP_CONTENT_LEN );
tmp = strchr( ch, '\r' );
if ( !tmp ) {
purple_debug_error( MXIT_PLUGIN_ID, "Received bad HTTP reply packet (ignoring packet)\n" );
goto done;
}
tmp = g_strndup( ch, tmp - ch );
185 bodylen = atoi( tmp );
Bodylen is defined as a signed integer and thus the input read from the HTTP header could be negative. There is a size check at lines 189-192:
189 if ( buflen + bodylen >= CP_MAX_PACKET ) {
/* this packet is way to big */
goto done;
192 }
However this check will pass if bodylen is set to a negative value.
At line 206 bodylen is copied to the variable session->rx_i which is an unsigned integer, thus casting a potential negative bodylen to a large positive value.
206 session->rx_i = bodylen;
This value is then later used to control a loop when the packet is processed in the function mxit_parse_packet in mxit/procotol.c at line 2669:
2669 while ( i < session->rx_i ) {
The index i is subsequently used a multiple locations to write to the buffer rx_dbuf, including at lines 2713, 2720 and 2729. This could allow an attacker to execute a buffer overflow on the buffer rx_dbuf.
2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure
Discovered by Yves Younan of Cisco Talos.