Talos Vulnerability Report

TALOS-2016-0142

Pidgin MXIT MultiMX Message Code Execution Vulnerability

June 21, 2016
CVE Number

CVE-2016-2374

DESCRIPTION

An exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution.

CVSSv3 SCORE

8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

TESTED VERSIONS

Pidgin 2.10.11

PRODUCT URLs

https://www.pidgin.im/

DETAILS

The function multimx_message_received defined in mxit/multimx.c will be called when a message is received from a MultiMX room. This message will be parsed and it will check if the message is coming from a particular user (if it contains a nickname) or from the system.

If the received message starts with a < then a nickname is embedded and the server will search for a corresponding >. The code to handle is at lines 358-374:

354	if (msg[0] == '<') {
		/* Message contains embedded nickname - must be from contact */
		unsigned int i;

		for (i = 1; i < strlen(msg); i++) {		
			/* search for end of nickname */
			if (msg[i] == '>') {
				msg[i] = '\0';
				g_free(mx->from);
				mx->from = g_strdup(&msg[1]);
367				msg = &msg[i+2];		/* skip '>' and newline */
				break;
			}
		}

		/* now do markup processing on the message */
		mx->chatid = multimx->chatid;
374		mxit_parse_markup(mx, msg, strlen(msg), msgtype, msgflags);

If a message only contains a nickname followed by a NULL, then msg at line 367 will point out of bounds of the string.

This string is subsequently processed for markup at line 374. The mxit_parse_markup function allows for a number of scenarios to exploit this out-of-bounds access vulnerability. If the out-of-bounds data contains some user-controlled values, then the attacker can direct the markup down a number of paths. This can include an information leak where the markup contains a directive to download an emoticon string or a command to download an image (MXIT_CMD_IMAGE), both will send data from the string back via a URL request.

Another avenue of attack is to perform an out-of-bounds write which could potentially lead to code execution. The string being parsed is written to at multiple locations, including at line 578 in mxit/formcmds.c:

	start = message + 2;
	end = strstr(start, ":");
	if (end) {
		/* end of a command found */
578		*end = '\0';		/* terminate command string */

And line 864 of of markup.c:

	ch = strstr( &message[i + 1], "$" );
	if ( ch ) {
		/* end found */
864		*ch = '\0';

TIMELINE

2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure

Credit

Discovered by Yves Younan of Cisco Talos.