lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <42854A04.7080304@valhallalegends.com>
Date: Fri, 13 May 2005 19:44:52 -0500
From: Ron <iago@...hallalegends.com>
To: bugtraq@...urityfocus.com
Subject: Gaim 1.2.1 -- PoC Stack Overflow

Product: Gaim
Version: 1.2.1
Remote: Yes
Effect: DoS, potential arbitrary code execution
Date: May 13, 2005


I was looking at the stack overflow reported in Gaim 1.2.1.  It's 
actually pretty trivial to find.  The line that contains it looks like 
this:

strcpy(url_buf, gurl_buf->str);

url_buf is a 8192-byte buffer, and gurl_buf->str is an email address 
that is being displayed (user controlled).

The difficulty in writing a real exploit is that the input is sanitized, 
so any character over 128, as well as ' ', ',', '\n', '<', and others 
are stripped away.  This doesn't leave much to play with, although I'm 
still confident that it would be possible to write an exploit under 
these conditions.  I just don't have the motivation to do it :)

Another difficulty is that most chat protocols limit you to a reasonable 
message size, and 8192 is typically well above that size.  So even if 
you could successfully create an exploit, you would still have to do it 
on a chat protocol that allows very long messages.
The final difficulty is that you also process the URL locally, when you 
send it, but that's not really a big deal.  It would be trivial to 
filter it out in a plugin to make sure you don't crash yourself.

For this example, I just threw together a quick plugin (based on an old 
plugin I wrote, which is why it's such a mess) which sends a 
10002-character email address when the user types "/vuln".  Gaim crashes 
at the address 0x41414141.

-------------------
(gdb) run
Starting program: /usr/local/bin/gaim
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 24908)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 24908)]
0x41414141 in ?? ()
-------------------

So in a real situation, this can be done.  It's just difficult.

If anybody is actually able to use this for anything, please let me 
know.  I'd be interested how this can be exploited.

-Ron

View attachment "vuln-plugin.c" of type "text/plain" (12783 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ