R7-0013: Heap Corruption in Gaim-Encryption Plugin

From: Rapid 7 Security Advisories (advisory@rapid7.com)
Date: 04/12/03

  • Next message: SGI Security Coordinator: "Brocade Firmware SNMP Vulnerability"
    To: bugtraq@securityfocus.com
    From: "Rapid 7 Security Advisories" <advisory@rapid7.com>
    Date: Fri, 11 Apr 2003 22:40:59 -0700

    Hash: SHA1

                         Rapid7, Inc. Security Advisory

          Visit http://www.rapid7.com/ to download NeXpose, the
               world's most advanced vulnerability scanner.
           Linux and Windows 2000/XP versions are available now!

    Rapid7 Advisory R7-0013
    Heap Corruption in Gaim-Encryption Plugin

       Published: April 11, 2003
       Revision: 1.0

       CVE: CAN-2003-0163
       Bugtraq ID: 7182

    1. Affected system(s):

        o gaim-encryption 1.15 and earlier

        o gaim-encryption 1.16 and later

    2. Summary

       GAIM is a multi-protocol instant messaging client that is
       compatible with AIM, ICQ, MSN Messenger, Jabber, and other
       protocols. The Gaim-Encryption plugin provides transparent
       message encryption between two users.
       The Gaim-Encryption plugin does insufficient validation on the
       message length parameter supplied by a remote user. This allows
       an arbitrary heap location to be overwritten with a zero byte
       and will also cause an unbounded read into the heap.

       The most obvious impact of this vulnerability would be a denial
       of service to the GAIM client. While this vulnerability is not
       likely to be exploitable, exploitation cannot be ruled out.

       Please note that Gaim-Encryption is not part of GAIM and is not
       developed by GAIM.

    3. Vendor status and information

       William Tompkins <bill AT icarion DOT com>

       The author was notified and a fixed version was released on
       March 16th, 2003.

    4. Solution

       Upgrade to version 1.16 of the Gaim-Encryption plugin. Note that
       while a patched version of 1.15 was released, some versions of
       1.15 may still be vulnerable.

    5. Detailed analysis

       The decrypt_msg function is responsible for decrypting encrypted
       GAIM messages. It reads the message length from a user-supplied
       header using sscanf. While some bounds checking is performed, a
       negative length is not properly handled. This causes the NUL
       termination of the message string to place a zero byte in an
       arbitrary location in memory rather than at the end of the string
       where it belongs.

    6. Contact Information

       Rapid7 Security Advisories
       Email: advisory@rapid7.com
       Web: http://www.rapid7.com/
       Phone: +1 (212) 558-8700

    8. Disclaimer and Copyright

       Rapid7, Inc. is not responsible for the misuse of the information
       provided in our security advisories. These advisories are a service
       to the professional security community. There are NO WARRANTIES
       with regard to this information. Any application or distribution of
       this information constitutes acceptance AS IS, at the user's own
       risk. This information is subject to change without notice.

       This advisory Copyright (C) 2003 Rapid7, Inc. Permission is
       hereby granted to redistribute this advisory, providing that no
       changes are made and that the copyright notices and disclaimers
       remain intact.

    Version: PGP 8.0

    -----END PGP SIGNATURE-----

  • Next message: SGI Security Coordinator: "Brocade Firmware SNMP Vulnerability"