|
|
|
|
| |
| Gaim is an open sourced version of AIM (AOL Instant Messaging client). The client has been found to contain a security vulnerability that allows remote attackers to crash it and execute arbitrary code on the target machine by sending a very large HTML tag. |
| |
Credit:
The information has been provided by Stan Bubrouski.
|
| |
Vulnerable systems:
Gaim 0.10.3 (current) and prior versions
There is a buffer overflow problem with Gaim's parsing of HTML tags when using the OSCAR protocol. This allows shell code to be executed by sending a message with a large HTML tag (i.e. <AAAA...AAA>). The size of the static buffer that is overflowed is about 4100. Due to the way AIM's protocols work, exploiting this is possible but difficult because:
1) All communication aside from file transfers is done anonymously through a server without an IP being exchanged between two clients.
2) A special client needs to be created to login to the AIM servers and sent the specially crafted message required to exploit this.
3) The TOC protocol is the default protocol used by Gaim and it is not vulnerable to this overflow.
4) Determining what client a user is using is difficult in most circumstances.
5) Since there is a server between the two clients, using one to exploit the other will not result in a remote shell because the server is between the two and will not forward the shell, although a remote xterm would do the trick.
Patch:
Index: gtkhtml.c
===================================================================
RCS file: /cvsroot/gaim/gaim/src/gtkhtml.c,v
retrieving revision 1.76
diff -u -r1.76 gtkhtml.c
--- gtkhtml.c 2000/11/03 10:46:58 1.76
+++ gtkhtml.c 2000/11/10 02:58:08
@@ -3193,7 +3193,7 @@
GdkFont *cfont;
GdkRectangle area;
char *ws,
- tag[BUF_LONG],
+ *tag,
*c,
*url = NULL;
gint intag = 0,
@@ -3237,6 +3237,7 @@
c = text;
ws = g_malloc(strlen(text) + 2);
+ tag = g_malloc(strlen(text) + 2);
while (*c)
{
@@ -3681,6 +3682,7 @@
g_free(ws);
+ g_free(tag);
gdk_window_get_size(html->html_area, NULL, &height);
area.height = height;
|
|
|
|
|
