TALOS-2016-0138
Pidgin MXIT Custom Resource Denial of Service Vulnerability
June 21, 2016
Report ID
CVE-2016-2370
Description
A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle can send invalid data to trigger this vulnerability.
CVSSv3 Score
5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Tested Versions
Pidgin 2.10.11
Product URLs
https://www.pidgin.im/
Details
The function mxit_chunk_parse_cr() in the file mxit/chunk.c is used to parse custom resources like a new splash image. These type of resources are sent as part of a multimedia packet.
At lines 573 the length of the chunk is read from the chunk being parsed without bounds checks. This chunk can contain one or more resource chuncks that are set at line 577. The size of the resource chunk is contained at the top of the chunk and again the size is read without bounds checks at lines 587 and 604:
573 pos += get_int32( &chunkdata[pos], &chunklen );
/* parse the resource chunks */
while ( chunklen > 0 ) {
577 gchar* chunk = &chunkdata[pos];
/* start of chunk data */
pos += MXIT_CHUNK_HEADER_SIZE;
582 switch ( chunk_type( chunk ) ) {
case CP_CHUNK_SPLASH : /* splash image */
{
struct splash_chunk* splash = g_new0( struct splash_chunk, 1 );
587 mxit_chunk_parse_splash( &chunkdata[pos], chunk_length( chunk ), splash );
cr->resources = g_list_append( cr->resources, splash );
break;
}
case CP_CHUNK_CLICK : /* splash click */
{
struct splash_click_chunk* click = g_new0( struct splash_click_chunk, 1 );
cr->resources = g_list_append( cr->resources, click );
break;
}
default:
purple_debug_info( MXIT_PLUGIN_ID, "Unsupported custom resource chunk received (%i)\n", chunk_type( chunk) );
}
/* skip over data to next resource chunk */
604 pos += chunk_length( chunk );
chunklen -= ( MXIT_CHUNK_HEADER_SIZE + chunk_length( chunk ) );
This length is then used to access data in the chunk at lines 582 and 587, resulting in an out-of-bounds read. This data is not sent back to the server, so it is unlikely to result in an information leak vulnerability, but could result in a denial of service when accessing the out-of-bounds memory if the accessed location is not an allocated memory region.
Credit
Discovered by Yves Younan of Cisco Talos.
Timeline
2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure