[17645] in bugtraq
Advisory: Gaim remote vulnerability
daemon@ATHENA.MIT.EDU (Stan Bubrouski)
Tue Nov 14 00:56:24 2000
Content-Type: Multipart/Mixed;
boundary="Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD"
MIME-Version: 1.0
Message-ID: <00111321543000.09359@linux>
Date: Mon, 13 Nov 2000 21:49:23 -0500
Reply-To: stan@ccs.neu.edu
From: Stan Bubrouski <stan@ccs.neu.edu>
To: BUGTRAQ@SECURITYFOCUS.COM
--Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Author: Stan Bubrouski (stan@ccs.neu.edu)
Date: November 9, 2000
Package: Gaim
Versions affected: 0.10.3 (current) and previous 0.10.x versions.
Severity: A remote user could potentially execute shell code as the user Gaim is running as.
Problem:There is a buffer overflow in Gaim's parsing of HTML tags when using the OSCAR
protocol which allows shell code to be executed when recieving a message with a large HTML
tag (i.e. <AAAA...AAA>). The size of the static buffer which is overflowed is about 4100. Due
to the way AIM's protocols work, exploiting this is possible but difficult because:
1) All communication aside from file transfers is done anonymously through a server without an
IP being exchanged between two clients.
2) A special client would have to constructed to login to the AIM servers and send the specially
crafted message required to exploit this.
3) The TOC protocol is the default protocol used by Gaim and it is not vulnerable to this overflow.
4) Determining what client a user is using is difficult in most circumstances.
5) With the server between the two clients using one to exploit the other could not result in a
remote shell because the server is between the two and can't forward the shell, although a
remote xterm would do the trick.
No known exploits for this currently exist.
Solution:The overflow is fixed in the Gaim CVS tree as of 11/10/2000, and a patch (provided
by Eric Warmenhoven of the gaim project) is available here for versions 0.10.3 and before.
Latest version of this advisory and patch are available at:
Advisory: http://www.ccs.neu.edu/home/stan/security/gaim/index.html
Patch: http://www.ccs.neu.edu/home/stan/security/gaim/gaimfix.patch
©2000 Stan Bubrouski
--
Stan Bubrouski stan@ccs.neu.edu
316 Huntington Ave. Apt #676, Boston, MA 02115 (617) 377-7222
--Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD
Content-Type: text/x-c;
name="gaimfix.patch"
Content-Transfer-Encoding: base64
Content-Description: gaimfix.patch
Content-Disposition: attachment; filename="gaimfix.patch"
SW5kZXg6IGd0a2h0bWwuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvY3Zzcm9vdC9nYWltL2dhaW0v
c3JjL2d0a2h0bWwuYyx2CnJldHJpZXZpbmcgcmV2aXNpb24gMS43NgpkaWZmIC11IC1yMS43NiBn
dGtodG1sLmMKLS0tIGd0a2h0bWwuYwkyMDAwLzExLzAzIDEwOjQ2OjU4CTEuNzYKKysrIGd0a2h0
bWwuYwkyMDAwLzExLzEwIDAyOjU4OjA4CkBAIC0zMTkzLDcgKzMxOTMsNyBAQAogCUdka0ZvbnQg
KmNmb250OwogCUdka1JlY3RhbmdsZSBhcmVhOwogCWNoYXIgKndzLAotCSAgdGFnW0JVRl9MT05H
XSwKKwkgICp0YWcsCiAJICpjLAogCSAqdXJsID0gTlVMTDsKIAlnaW50IGludGFnID0gMCwKQEAg
LTMyMzcsNiArMzIzNyw3IEBACiAJYyA9IHRleHQ7CiAKIAl3cyA9IGdfbWFsbG9jKHN0cmxlbih0
ZXh0KSArIDIpOworCXRhZyA9IGdfbWFsbG9jKHN0cmxlbih0ZXh0KSArIDIpOwogCiAJd2hpbGUg
KCpjKQogCXsKQEAgLTM2ODEsNiArMzY4Miw3IEBACiAKIAogCWdfZnJlZSh3cyk7CisJZ19mcmVl
KHRhZyk7CiAKIAlnZGtfd2luZG93X2dldF9zaXplKGh0bWwtPmh0bWxfYXJlYSwgTlVMTCwgJmhl
aWdodCk7CiAJYXJlYS5oZWlnaHQgPSBoZWlnaHQ7Cg==
--Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD--
