Info

Last Modified

about 1 year ago

Percent Complete

70%

Disclosure

Jan 27, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Keywords

No Keywords

Description

A remote overflow exists in GAIM Instant Messager client. GAIM fails to address malformed input resulting in a heap overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.

Classification

Location: Remote/Network Access Required
Attack Type: Authentication Management, Input Manipulation, Other
Impact: Loss of Integrity, Loss of Availability
Exploit: Exploit Unavailable

Technical

When the MIME decoder decosed a quoted printable encoded string for email notification 2 different kind of overflows can be triggered.

Affected version: 0.75 (only)
File: gaim/src/util.c
Function: quotedp_decode()
Code:

void
gaim_quotedp_decode(const char *str, char **ret_str, int ...
{
char *p, *n, *new;

n = new = g_malloc(strlen (str) + 1);

for (p = (char *)str; *p; p++, n++) {
if (*p == '=') {
sscanf(p + 1, "%2x\n", (int *)n); <-------- [08]
p += 2; <--------------------------------- [09]
}
else if (*p == '_')
*n = ' ';
else
*n = *p;
}

*n = '\0';
...

The way sscanf is used, it will always write 4 bytes to the allocated buffer. The author did not see the possibility of malformed input like "\1" (the backslash is only a backslash) it is possible to write 1-2 zero bytes over the buffer boundaries. On linux this is exploitable like any heap off by one into the malloc() chunks. The second vulnerability is that no matter how many bytes sscanf() consumes it always increases the pointer with assumed 4 bytes. This can result in overjumping the terminating zero byte and with special prepared memory after the string it is possible to overwrite the heap with an arbitrary amount of bytes.