Denial of Service Vulnerabilities

Thijs Alkemade thijs at adium.im
Tue Mar 12 20:21:18 EDT 2013 

On 2 mrt. 2013, at 19:19, Daniel Atallah <daniel.atallah at gmail.com> wrote:

> On Mon, Feb 25, 2013 at 9:14 AM, Fabian Yamaguchi
> <fabian.yamaguchi at cs.uni-goettingen.de> wrote:
>> Hi Pidgin Security Team,
>> 
>> we would like to report some denial of service vulnerabilities we
>> found during our research on automatically identifying missing checks
>> in source code. Two of these crashes can be triggered by another user.
> 
> <SNIP>
> 
> I've attached patches to address the MSN issues (1, 3, 4).
> I did notice and correct some additional similar issues in
> msn_fault_handling.patch.
> 
> I passed on the mxit (5) issue to the mxit guys (you should have seen
> a message about that), and my understanding is that Thijs will be
> coming up with a patch for the xmpp issue (2).
> 
> -D

Hello all,

Attached is a patch fixing xmpp issue (2) and the extra issues I've mentioned.

The patch is pretty straightforward, it stores the JabberID* that an iq query
went to in the JabberCallbackData, and checks this when a reply comes in. I've
also added a couple of helper functions to jutil.c for handling JIDs.

One detail I feel like I should mention is that there is no timeout for
outstanding iq replies, but maybe it should: previously this meant that only 2
pointers per iq were stored, but now this is 7 pointers + whatever data is
stored in the JabberID (which can be up to 3 kB (!) in total).

A malicious contact could try to provoke queries to them from Pidgin, but
refuse to reply, thus causing it to increase memory usage and performing a DoS
attack. Extensions like XEP-0115: Entity Capabilities (implemented in Pidgin)
and XEP-0166: Jingle (implemented for voice/video) make it possible for other
contacts to trigger Pidgin to send a iq query to a contact.

However, this would probably require something like 10k-100k outstanding
queries to have an impact. That's more likely to DoS someone's connection than
their iq-handler table.

Regards,
Thijs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: iq.diff
Type: application/octet-stream
Size: 8314 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130313/1d0485e6/attachment.obj>

More information about the security mailing list