mxit_add_buddy flaw

Daniel Atallah datallah at pidgin.im
Sat Mar 2 13:08:30 EST 2013 

Guys,

This was reported as a security issue - at initial glance, it doesn't
appear to be something remotely triggerable, but I'm not familiar
enough with the mxit flow to know that for sure (or to know how best
to fix it).

Please credit "Fabian Yamaguchi and Christian Wressnegger of the
University of Goettingen" with finding the issue.

If it does turn out to be a remotely triggerable thing, please
coordinate with the security mailing list to get the fix committed
appropriately.

Thanks,
-D

(5) mxit_add_buddy:
===================

Finally, in mxit_add_buddy, the return-value of purple_base64_decode
is not checked at [1] and passed to mxit_send_invite at [2] where it
is used as an argument to snprintf. This is the only crash we did not
trigger as we ran out of time. I am reporting it nonetheless. Here is
the affected code:

void mxit_add_buddy( PurpleConnection* gc, PurpleBuddy* buddy,
PurpleGroup* group, const char* message )
{
        struct MXitSession*     session = (struct MXitSession*)
gc->proto_data;
        GSList*                         list    = NULL;
        PurpleBuddy*            mxbuddy = NULL;
        unsigned int            i;
        const gchar *           buddy_name = purple_buddy_get_name( buddy );
        const gchar *           buddy_alias = purple_buddy_get_alias(
buddy );
        const gchar *           group_name = purple_group_get_name( group );

        purple_debug_info( MXIT_PLUGIN_ID, "mxit_add_buddy '%s'
(group='%s')\n", buddy_name, group_name );

        list = purple_find_buddies( session->acc, buddy_name );
        if ( g_slist_length( list ) == 1 ) {
                purple_debug_info( MXIT_PLUGIN_ID, "mxit_add_buddy
(scenario 1) (list:%i)\n", g_slist_length( list ) );
                /*
                 * we only send an invite to MXit when the user is not
already inside our
                 * blist.  this is done because purple does an
add_buddy() call when
                 * you accept an invite.  so in that case the user is
already
                 * in our blist and ready to be chatted to.
                 */

                if ( buddy_name[0] == '#' ) {
                        gchar *tmp = (gchar*) purple_base64_decode(
buddy_name + 1, NULL );
                        mxit_send_invite( session, tmp, FALSE,
buddy_alias, group_name, message );
                        g_free( tmp );
                }
        [...]
}

More information about the security mailing list