Buffer overflow in MXit image command
Ulf Härnhammar
ulfharn at gmail.com
Wed May 23 12:52:57 EDT 2012
Hello,
I have found a stack-based buffer overflow in Pidgin (verified in
versions 2.10.4 and 2.10.3, but other versions are also assumed to be
vulnerable).
The function "mxit_show_message()" in
libpurple/protocols/mxit/markup.c has an erroneous memcpy() call that
stores data in the ii[] array on the stack without checking if the
length is small enough. By sending messages with special image
commands on the MXit network, an attacker can trick a victim's Pidgin
installation into running arbitrary code.
I have attached a PoC for this bug. I believe it to be exploitable at
least on Windows XP, as the crash occurs during a memory write, with
both data and address under control. The WinDBG !exploitable extension
says that the bug is exploitable as well.
I hope that we can cooperate on solving this problem.
Regards,
Ulf Härnhammar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin-poc.zip
Type: application/zip
Size: 9618 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120523/f904ddba/attachment.zip>
More information about the security
mailing list