[UNIX] Heap Corruption in Gaim-Encryption Plugin
From: support@securiteam.com
Date: 04/20/03
- Previous message: support@securiteam.com: "[UNIX] Apache mod_access_referer Denial of Service Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 20 Apr 2003 18:37:38 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Heap Corruption in Gaim-Encryption Plugin
------------------------------------------------------------------------
SUMMARY
GAIM is a multi-protocol instant messaging client that is compatible with
AIM, ICQ, MSN Messenger, Jabber, and other protocols. The Gaim-Encryption
plugin provides transparent message encryption between two users.
The Gaim-Encryption plugin does insufficient validation on the message
length parameter supplied by a remote user. This allows an arbitrary heap
location to be overwritten with a zero byte and will cause an unbounded
read into the heap.
The most obvious impact of this vulnerability would be a denial of service
to the GAIM client. While this vulnerability is not likely to be
exploitable, exploitation cannot be ruled out.
Please note that Gaim-Encryption is not part of GAIM and is not developed
by GAIM.
DETAILS
Vulnerable systems:
* gaim-encryption 1.15 and earlier
Immune systems:
* gaim-encryption 1.16 and later
Detailed analysis:
The decrypt_msg function is responsible for decrypting encrypted GAIM
messages. It reads the message length from a user-supplied header using
sscanf. While some bounds checking are performed, a negative length is not
properly handled. This causes the NUL termination of the message string to
place a zero byte in an arbitrary location in memory rather than at the
end of the string where it belongs.
Vendor status and information:
William Tompkins <bill AT icarion DOT com>
<http://gaim-encryption.sourceforge.net/>
http://gaim-encryption.sourceforge.net/
The author was notified and a fixed version was released on March 16th,
2003.
Solution:
Upgrade to version 1.16 of the Gaim-Encryption plugin. Note that while a
patched version of 1.15 was released, some versions of 1.15 may still be
vulnerable.
ADDITIONAL INFORMATION
The original advisory can be downloaded from:
<http://www.rapid7.com/advisories/R7-0013.html>
http://www.rapid7.com/advisories/R7-0013.html
The information has been provided by <mailto:advisory@rapid7.com> Rapid 7
Security Advisories.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Apache mod_access_referer Denial of Service Issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
