A exploitable NULL write vulnerability exists in Pidgin’s implementation of the STUN protocol in the libpurple library. An attacker who can control the response to a STUN protocol packet can cause a network receive operation to retun an undersized value, resulting in an out-of-bounds write of a NULL value.
Pidgin 2.10.7
An off by one exists in libpurple/stun.c at line 182 in the function reply_cb():
len = recv(source, buffer, sizeof(buffer) - 1, 0);
if (!len) {
purple_debug_warning("stun", "unable to read stun response\n");
return;
}
buffer[len] = '\0';
If the attacker causes a network error during the STUN message reply, the recv function call will return -1. The check at line 178 will be bypassed and the negative index will be used on line 182, resulting in an out of bounds write of NULL.
Yves Younan of Sourcefire VRT
This vulnerability has not been disclosed and cannot be viewed at this time.