[UNIX] Gaim Buffer Over-Reading and Code Injection
From: SecuriTeam (support_at_securiteam.com)
Date: 04/04/05
- Previous message: SecuriTeam: "[REVS] The Heart of Web Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 4 Apr 2005 12:10:34 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Gaim Buffer Over-Reading and Code Injection
------------------------------------------------------------------------
SUMMARY
<http://gaim.sourceforge.net/> Gaim is "a multi-protocol instant
messaging (IM) client for Linux, BSD, MacOS X, and Windows. It is
compatible with AIM and ICQ (Oscar protocol), MSN Messenger, Yahoo!, IRC,
Jabber, Gadu-Gadu, SILC, GroupWise Messenger, and Zephyr networks".
The Gaim program can be caused to read beyond its buffer size which can
lead to a buffer over-reading, and due to lack of escaping a remote users
can inject simple HTML code to the conversation.
DETAILS
Vulnerable Systems:
* Gaim version 1.2.0 prior versions may be vulnerable as well
Buffer Overread:
A programming error in gaim_markup_strip_html() causes a buffer overread
when stripping a string containing malformed HTML tags. This problem can
be used to cause to a denial of service and crash the program with "access
violation" error message and can be executed by remote users.
Code Injection:
In several places, the IRC protocol plugin handles user messages without
escaping markup (the list might not be exhaustive):
irc_msg_kick()
irc_msg_mode()
irc_msg_part()
irc_msg_quit()
irc_msg_invite()
The irc_msg_kick(), irc_msg_mode(), irc_msg_part() and irc_msg_quit()
obliviousness allows any remote user to inject Gaim markup into the
conversation window (annoying), and, provided that the conversation window
is being logged, to trigger the gaim_markup_strip_html() buffer overread
(the text logger calls gaim_markup_strip_html() in txt_logger_write()).
The irc_msg_invite() obliviousness allows any remote user to inject Pango
markup into a GTK+ dialog box. Fortunately, since IRC channel names cannot
contain spaces, the user cannot insert things such as <span
size="$huge">foo</span> (that would cause the program to crash). He can
however popup empty dialog boxes by injecting malformed markup.
In several places, the IRC protocol plugin handles server messages without
escaping markup (the list is not exhaustive):
irc_msg_badmode()
irc_msg_banned()
irc_msg_unknown()
irc_msg_nochan()
This allows any malicious IRC server operator to inject Pango markup into
a GTK+ dialog box. The attacker can insert things such as <span
size="1000000000">foo</span> to crash the program.
Any remote IRC server operator may cause the victim's Gaim instance to
crash, by requesting huge font sizes to Pango.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jylefort@brutele.be>
Jean-Yves Lefort.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[REVS] The Heart of Web Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
