Advisory: Gaim remote vulnerability

[Stan Bubrouski <stan () ccs neu edu>]

Author:   Stan Bubrouski (stan () ccs neu edu)
Date:   November 9, 2000
Package:  Gaim
Versions affected:  0.10.3 (current) and previous 0.10.x versions.
Severity:  A remote user could potentially execute shell code  as the user Gaim is running as.

Problem:There is a buffer overflow in Gaim's parsing of HTML tags when using the OSCAR
protocol which allows shell code to be executed when recieving a message with a large HTML
tag (i.e. <AAAA...AAA>).  The size of the static buffer which is overflowed is about 4100.  Due
to the way AIM's protocols work, exploiting  this is possible but difficult because:
1) All communication aside from file transfers is done anonymously through a server without an
    IP being exchanged between two clients.
2) A special client would have to constructed to login to the AIM servers and send the specially
    crafted message required to exploit this.
3) The TOC protocol is the default protocol used by Gaim and it is not vulnerable  to this overflow.
4) Determining what client a user is using is difficult in most circumstances.
5) With the server between the two clients using one to exploit the other could not result in a
     remote shell because the server is between the two and can't forward the shell, although a
     remote xterm would do the trick.

No known exploits for this currently exist.

Solution:The overflow is fixed in the Gaim CVS tree as of 11/10/2000,  and a patch (provided
by Eric Warmenhoven of the gaim project) is available here for versions 0.10.3 and before.

Latest version of this advisory and patch are available at:
Advisory:       http://www.ccs.neu.edu/home/stan/security/gaim/index.html
Patch:          http://www.ccs.neu.edu/home/stan/security/gaim/gaimfix.patch

©2000 Stan Bubrouski

--
Stan Bubrouski                                       stan () ccs neu edu
316 Huntington Ave. Apt #676, Boston, MA 02115       (617) 377-7222

Attachment: gaimfix.patch
Description: gaimfix.patch