lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OF0606A236.25414A6C-ON88256D06.001E4161-88256D06.001E51CD@hq.rapid7.com>
Date: Fri, 11 Apr 2003 22:40:59 -0700
From: "Rapid 7 Security Advisories" <advisory@...id7.com>
To: bugtraq@...urityfocus.com
Subject: R7-0013: Heap Corruption in Gaim-Encryption Plugin


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid7, Inc. Security Advisory

      Visit http://www.rapid7.com/ to download NeXpose, the
           world's most advanced vulnerability scanner.
       Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0013
Heap Corruption in Gaim-Encryption Plugin

   Published:  April 11, 2003
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0013.html

   CVE:           CAN-2003-0163
   Bugtraq ID:    7182

1. Affected system(s):

   KNOWN VULNERABLE:
    o gaim-encryption 1.15 and earlier

   NOT VULNERABLE:
    o gaim-encryption 1.16 and later

2. Summary

   GAIM is a multi-protocol instant messaging client that is
   compatible with AIM, ICQ, MSN Messenger, Jabber, and other
   protocols.  The Gaim-Encryption plugin provides transparent
   message encryption between two users.
 
   The Gaim-Encryption plugin does insufficient validation on the
   message length parameter supplied by a remote user.  This allows
   an arbitrary heap location to be overwritten with a zero byte
   and will also cause an unbounded read into the heap.

   The most obvious impact of this vulnerability would be a denial
   of service to the GAIM client.  While this vulnerability is not
   likely to be exploitable, exploitation cannot be ruled out.

   Please note that Gaim-Encryption is not part of GAIM and is not
   developed by GAIM.

3. Vendor status and information

   William Tompkins <bill AT icarion DOT com>
   http://gaim-encryption.sourceforge.net/

   The author was notified and a fixed version was released on
   March 16th, 2003.

4. Solution

   Upgrade to version 1.16 of the Gaim-Encryption plugin.  Note that
   while a patched version of 1.15 was released, some versions of
   1.15 may still be vulnerable.

5. Detailed analysis

   The decrypt_msg function is responsible for decrypting encrypted
   GAIM messages.  It reads the message length from a user-supplied
   header using sscanf.  While some bounds checking is performed, a
   negative length is not properly handled.  This causes the NUL
   termination of the message string to place a zero byte in an
   arbitrary location in memory rather than at the end of the string
   where it belongs.

6. Contact Information

   Rapid7 Security Advisories
   Email:  advisory@...id7.com
   Web:    http://www.rapid7.com/
   Phone:  +1 (212) 558-8700

8. Disclaimer and Copyright

   Rapid7, Inc. is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2003 Rapid7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPpcmgiT52JC2U8wAEQKc4ACfbhx2R3ogtcV71xymR/ExjqSckQIAoIxh
GuzV+92KF3r6hFJ3dTZGRFVs
=J9Hm
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ