ZDI-CAN-338: libpurple MSN Protocol SLP Message Heap Overflow Vulnerability

Stu Tomlinson stu at nosnilmot.com
Tue Jul 1 15:16:12 EDT 2008

On Fri, 2008-06-27 at 10:01 -0400, Josh Bressers wrote: 
> On 26 June 2008, Josh Bressers wrote:
> > On 26 June 2008, "Mark Doliner" wrote:
> > > On Thu, 26 Jun 2008 13:51:30 -0400, Josh Bressers wrote
> > > > 
> > > > I'll see about CVE ids hopefully later today.  I've been terribly bogged
> > > > down with other things and I've not found time for this yet.  Sorry.
> > > 
> > > That would be great.
> > > 
> > 
> > OK, I took a look at things, and the way I see it we have at least three
> > things (three CVE ids).
> > 
> > * XML memory leak
> > * UPnP arbitrary file download (maybe not a flaw)
> > * msn integer overflow
> > 
> It looks like the MSN issue is public now:
> http://marc.info/?l=bugtraq&m=121449329530282&w=4

This is a different issue :( and not fixed yet. I've been able to
reproduce the crash. The problem here is caused by the following:
- We escape filenames when saving
- If a filename when escaped exceeds the maximum filename length, the
file transfer is automatically cancelled by libpurple because it failed
to create the file on disk
- On the pidgin instance *sending* the file, we don't properly handle
the cancellation from the receiving pidgin instance, and end up
referencing free'd memory.

Actually we seem to send a "cancel" followed by an "ack" and it's
processing the "ack" that causes problems. My current theory is because
we free'd associated data structures when handling the "cancel" but
somehow we didn't free or remove all references.

The actual filename used has no impact as far as I can see.

As far as using this exploit using the described method, I think an
attacker must convince the victim to attempt to send a file with such a
name to another pidgin/libpurple user. However, it appears to be another
bug in our SLP implementation, so may be triggerable by other means
possibly requiring no user interaction.

I've spent a long time trying to figure out exactly what is wrong, but
made no real progress, and won't have any time to look further until
Friday at the earliest.

> Does anyone know the impact of this issue?  Can any random MSN user trigger
> this flaw?  If so that's obviously not good.

The integer overflow issue will cause pidgin to crash when receiving a
malformed SLP message, unfortunately this can be initiated without
interaction by anyone permitted by your privacy settings (which may be
only those you have explicitly permitted, or everyone except those you
have explicitly blocked).



More information about the Packagers mailing list