CVE-2004-0007
CVSS7.5
发布时间 :2004-03-03 00:00:00
修订时间 :2016-10-17 22:39:50
NMCOP    

[原文]Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.


[CNNVD]Gaim多个远程边界条件错误漏洞(CNNVD-200403-030)

        
        Gaim是一款能多种协议进行即时通信的程序,Ultramagnetic是Gaim的派生程序。
        Gaim对多种协议进行通信时存在边界条件错误问题,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能未授权访问使用此软件的主机系统。
        在审核Gaim源代码时发现存在12个安全问题,具体如下:
        YMSG协议(yahoo messenger)处理器存在缓冲区溢出:
         01) Yahoo Octal-Encoding Decoder缓冲溢出
         02) Yahoo Octal-Encoding Decoder越界缓冲区溢出
         03) Yahoo Web Cookie解析缓冲区溢出
         04) Yahoo登录页名解析缓冲区溢出
         05) Yahoo登录页值解析缓冲区溢出
         06) Yahoo包解析解析缓冲区溢出
        oscar协议(AIM)处理器存在缓冲区溢出:
         07) AIM/Oscar DirectIM整数溢出
         08) quoted-printable编码解析溢出
         09) Quoted Printable编码解析越界溢出
         10) URL解析函数溢出
         11) 展开Info字段函数溢出
         12) HTTP代理连接溢出
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:ultramagnetic:ultramagnetic:0.81
cpe:/a:rob_flynn:gaim:0.74

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9906Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic be...
oval:org.mitre.oval:def:819Gaim / Ultramagnetic Extract Info Field Function BO
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0007
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0007
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-030
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/fulldisclosure/2004-01/0994.html
(UNKNOWN)  FULLDISC  20040126 Advisory 01/2004: 12 x Gaim remote overflows
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000813
(UNKNOWN)  CONECTIVA  CLA-2004:813
http://marc.info/?l=bugtraq&m=107513690306318&w=2
(UNKNOWN)  BUGTRAQ  20040126 Advisory 01/2004: 12 x Gaim remote overflows
http://marc.info/?l=bugtraq&m=107522432613022&w=2
(UNKNOWN)  BUGTRAQ  20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code
http://security.e-matters.de/advisories/012004.html
(VENDOR_ADVISORY)  MISC  http://security.e-matters.de/advisories/012004.html
http://security.gentoo.org/glsa/glsa-200401-04.xml
(UNKNOWN)  GENTOO  GLSA-200401-04
http://ultramagnetic.sourceforge.net/advisories/001.html
(VENDOR_ADVISORY)  CONFIRM  http://ultramagnetic.sourceforge.net/advisories/001.html
http://www.debian.org/security/2004/dsa-434
(VENDOR_ADVISORY)  DEBIAN  DSA-434
http://www.kb.cert.org/vuls/id/197142
(UNKNOWN)  CERT-VN  VU#197142
http://www.mandriva.com/security/advisories?name=MDKSA-2004:006
(UNKNOWN)  MANDRAKE  MDKSA-2004:006
http://www.redhat.com/support/errata/RHSA-2004-032.html
(UNKNOWN)  REDHAT  RHSA-2004:032
http://www.redhat.com/support/errata/RHSA-2004-033.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:033
http://www.securityfocus.com/advisories/6281
(UNKNOWN)  SUSE  SuSE-SA:2004:004
http://www.securityfocus.com/bid/9489
(UNKNOWN)  BID  9489
http://www.securitytracker.com/id?1008850
(UNKNOWN)  SECTRACK  1008850
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.361158
(UNKNOWN)  SLACKWARE  SSA:2004-026
http://xforce.iss.net/xforce/xfdb/14946
(UNKNOWN)  XF  gaim-extractinfo-bo(14946)

- 漏洞信息

Gaim多个远程边界条件错误漏洞
高危 边界条件错误
2004-03-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Gaim是一款能多种协议进行即时通信的程序,Ultramagnetic是Gaim的派生程序。
        Gaim对多种协议进行通信时存在边界条件错误问题,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能未授权访问使用此软件的主机系统。
        在审核Gaim源代码时发现存在12个安全问题,具体如下:
        YMSG协议(yahoo messenger)处理器存在缓冲区溢出:
         01) Yahoo Octal-Encoding Decoder缓冲溢出
         02) Yahoo Octal-Encoding Decoder越界缓冲区溢出
         03) Yahoo Web Cookie解析缓冲区溢出
         04) Yahoo登录页名解析缓冲区溢出
         05) Yahoo登录页值解析缓冲区溢出
         06) Yahoo包解析解析缓冲区溢出
        oscar协议(AIM)处理器存在缓冲区溢出:
         07) AIM/Oscar DirectIM整数溢出
         08) quoted-printable编码解析溢出
         09) Quoted Printable编码解析越界溢出
         10) URL解析函数溢出
         11) 展开Info字段函数溢出
         12) HTTP代理连接溢出
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 第三方补丁下载如下:
        
        http://security.e-matters.de/patches/gaim-0.75-fix.diff

        厂商补丁:
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2004:006-1)以及相应补丁:
        MDKSA-2004:006-1:Updated gaim packages fix multiple vulnerabilities
        链接:
        http://www.linux-mandrake.com/en/security/2004/2004-006.php

        补丁下载:
        Updated Packages:
        Mandrake Linux 9.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/gaim-0.75-1.2.91mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/gaim-encrypt-0.75-1.2.91mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/libgaim-remote0-0.75-1.2.91mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/libgaim-remote0-devel-0.75-1.2.91mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/gaim-0.75-1.2.91mdk.src.rpm
        Mandrake Linux 9.1/PPC:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/gaim-0.75-1.2.91mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/gaim-encrypt-0.75-1.2.91mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/libgaim-remote0-0.75-1.2.91mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/libgaim-remote0-devel-0.75-1.2.91mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/gaim-0.75-1.2.91mdk.src.rpm
        Mandrake Linux 9.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/gaim-0.75-1.2.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/gaim-encrypt-0.75-1.2.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/gaim-festival-0.75-1.2.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/gaim-perl-0.75-1.2.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/libgaim-remote0-0.75-1.2.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/libgaim-remote0-devel-0.75-1.2.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/SRPMS/gaim-0.75-1.2.92mdk.src.rpm
        Mandrake Linux 9.2/AMD64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/gaim-0.75-1.2.92mdk.amd64.rpm
        上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
        
        http://www.mandrakesecure.net/en/ftp.php

        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2004:032-01)以及相应补丁:
        RHSA-2004:032-01:Updated Gaim packages fix various vulnerabiliies
        链接:https://www.redhat.com/support/errata/RHSA-2004-032.html
        补丁下载:
        Red Hat Linux 9:
        SRPMS:
        ftp://updates.redhat.com/9/en/os/SRPMS/gaim-0.75-0.9.0.src.rpm
        i386:
        ftp://updates.redhat.com/9/en/os/i386/gaim-0.75-0.9.0.i386.rpm
        可使用下列命令安装补丁:
        rpm -Fvh [文件名]
        S.u.S.E.
        --------
        S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2004:004)以及相应补丁:
        SuSE-SA:2004:004:gaim
        链接:
        补丁下载:
         Intel i386 Platform:
         SuSE-9.0:
         ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gaim-0.67-65.i586.rpm
         09f8d12dd52e246cf32dca8ad3374f39
         patch rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gaim-0.67-65.i586.patch.rpm
         3a633e341b9e56facdbe0250b55dd33a
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/gaim-0.67-65.src.rpm
         5ee6a86077c0297a64815532782f7a54
         SuSE-8.2:
         ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gaim-0.59.8-60.i586.rpm
         7a269744304f72bf951c7bd6974560f2
         patch rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gaim-0.59.8-60.i586.patch.rpm
         e7b18f0da02c1c4392dc1b03e835a827
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/gaim-0.59.8-60.src.rpm
         ae7d7b1c9735696244547a0d6a5ee92e
         SuSE-8.1:
         ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/gaim-0.59-158.i586.rpm
         22b1d4b

- 漏洞信息 (F34673)

Fedora Legacy Update Advisory 1237 (PacketStormID:F34673)
2004-10-16 00:00:00
The Fedora Legacy project  gaim.sourceforge.net
advisory,overflow,protocol
linux,fedora
CVE-2004-0006,CVE-2004-0007,CVE-2004-0008,CVE-2004-0500,CVE-2004-0754,CVE-2004-0784,CVE-2004-0785
[点击下载]

Fedora Legacy Update Advisory - FLSA:1237. Updated gaim package resolves security issues. Corrects multiple buffer overflows in Gaim 0.75 and earlier, including Yahoo cookie buffer overflows, YMSG protocol overflows, and flaws in URL and proxy handling.

-----------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated gaim package resolves security issues
Advisory ID:       FLSA:1237
Issue date:        2004-10-16
Product:           Red Hat Linux
Keywords:          Bugfix
Cross references:  https://bugzilla.fedora.us/show_bug.cgi?id=3D1237
CVE Names:         CAN-2004-0006 CAN-2004-0007 CAN-2004-0008
                   CAN-2004-0500 CAN-2004-0754 CAN-2004-0784
                   CAN-2004-0785
-----------------------------------------------------------------------


-----------------------------------------------------------------------
1. Topic:

An updated gaim package that fixes several security issues is now
available.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386

3. Problem description:

Issues fixed with this gaim release include:

Multiple buffer overflows that affect versions of Gaim 0.75 and earlier.
1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol
overflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4)
flaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0006 to these issues.

A buffer overflow in Gaim 0.74 and earlier in the Extract Info Field
Function used for MSN and YMSG protocol handlers. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0007 to this issue.

An integer overflow in Gaim 0.74 and earlier, when allocating memory for
a directIM packet results in heap overflow. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0008 to this issue.

Buffer overflow bugs were found in the Gaim MSN protocol handler. In
order to exploit these bugs, an attacker would have to perform a man in
the middle attack between the MSN server and the vulnerable Gaim client.
Such an attack could allow arbitrary code execution. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0500 to this issue.

An integer overflow bug has been found in the Gaim Groupware message
receiver. It is possible that if a user connects to a malicious server,
an attacker could send carefully crafted data which could lead to
arbitrary code execution on the victims machine. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0754 to this issue.

A shell escape bug has been found in the Gaim smiley theme file
installation. When a user installs a smiley theme, which is contained
within a tar file, the unarchiving of the data is done in an unsafe
manner. An attacker could create a malicious smiley theme that would
execute arbitrary commands if the theme was installed by the victim. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0784 to this issue.

Buffer overflow bugs have been found in the Gaim URL decoder, local
hostname resolver, and the RTF message parser. It is possible that a
remote attacker could send carefully crafted data to a vulnerable client
and lead to a crash or arbitrary code execution. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0785 to this issue.

Users of Gaim are advised to upgrade to this updated package which
contains Gaim version 0.82.1 and is not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

http://bugzilla.fedora.us - bug #1237

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gaim-0.82.1-0.73.=
2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gaim-0.82.1-0.73.2=
.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gaim-0.82.1-0.90.3.=
legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/gaim-0.82.1-0.90.3.l=
egacy.i386.rpm

7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------------

cda084b78e263bb725ad92fdef0fc4b329b705d5=20
7.3/updates/i386/gaim-0.82.1-0.73.2.legacy.i386.rpm
e28d0c278324c7a508af7a30565cc5741b7ec4f0=20
7.3/updates/SRPMS/gaim-0.82.1-0.73.2.legacy.src.rpm
958a8c9d2077ae068af20c282e69e64ec8f1a4e7=20
9/updates/i386/gaim-0.82.1-0.90.3.legacy.i386.rpm
211c4e944d0b1178e53f0f1dd8bd303eeee1a6cf=20
9/updates/SRPMS/gaim-0.82.1-0.90.3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://security.e-matters.de/advisories/012004.html
http://gaim.sourceforge.net/security/index.php?id=3D0
http://gaim.sourceforge.net/security/index.php?id=3D1
http://gaim.sourceforge.net/security/index.php?id=3D2
http://gaim.sourceforge.net/security/index.php?id=3D3
http://gaim.sourceforge.net/security/index.php?id=3D4
http://gaim.sourceforge.net/security/index.php?id=3D5
http://gaim.sourceforge.net/security/index.php?id=3D6
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0006
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0754
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0785


9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------


--=-yT6Wjt5+gK57EgNFrD7m
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBcWI7LMAs/0C4zNoRAuwkAJ4n8aqw46Ypr31zcF/agwoWtT3u/wCfc/IB
jfgx69hTPs9W16I7z3TBJ6g=
=mQs0
-----END PGP SIGNATURE-----

--=-yT6Wjt5+gK57EgNFrD7m--


    

- 漏洞信息 (F32583)

001.txt.asc (PacketStormID:F32583)
2004-01-29 00:00:00
 
advisory,vulnerability
CVE-2004-0005,CVE-2004-0006,CVE-2004-0007,CVE-2004-0008
[点击下载]

Ultramagnetic, a utility based off of a fork of the GAIM IM software, is susceptible to the vulnerabilities found in GAIM versions 0.75 and below.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Ultramagnetic Advisory #001: January 26th, 2004
http://ultramagnetic.sourceforge.net/advisories/001.html
Severity: 9 (High)
Document Revision: 1.0


Overview

Ultramagnetic is a concurrent fork of the Gaim instant messaging software
which adds strong end-to-end encryption and authentication using GnuPG's
libgcrypt and anonymous routing with Hacktivismo's Six/Four protocol.

Multiple buffer overflow vulnerabilities have been found in the code
forked from Gaim.  Full details are available at this URL:
http://security.e-matters.de/advisories/012004.html

Note that these vulnerabilities DO NOT compromise the
integrity of the encryption or authentication.



Affected Versions

All versions prior to Ultramagnetic v0.81 are affected by CAN-2004-0006,
CAN-2004-0007, CAN-2004-0008:

v0.01 Preview Alpha 1
v0.02 Preview Alpha 2
v0.03 Preview Alpha 3
v0.10 Beta
v0.20 Beta
v0.40 Beta
v0.50 Beta
v0.55 Beta
v0.60 Beta
v0.65 Beta
v0.70 Beta
v0.80 Beta

None of the versions mentioned above are vulnerable to CAN-2004-0005.



Solution

All users are strongly encouraged to upgrade to Ultramagnetic v0.81
(or later):

Source bz2:
    http://prdownloads.sourceforge.net/ultramagnetic/
        ultramagnetic-0.81.tar.bz2?download
    http://prdownloads.sourceforge.net/ultramagnetic/
        ultramagnetic-0.81.tar.bz2.sig?download

Linux x86 RPM:
    http://prdownloads.sourceforge.net/ultramagnetic/
        ultramagnetic-0.81-1.i386.rpm?download
    http://prdownloads.sourceforge.net/ultramagnetic/
        ultramagnetic-0.81-1.i386.rpm.sig?download


References

    * E-matters: 12 x Gaim remote overflows:
          http://security.e-matters.de/advisories/012004.html
    * CVE: CAN-2004-0006
    * CVE: CAN-2004-0007
    * CVE: CAN-2004-0008



- --
low halo 
Defender of Truth and Liberty
http://ultramagnetic.sourceforge.net/
 
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AFB17F6
9AB1 FF04 016F 89A3 5B4E  A585 BDBB 5FBE 3AFB 17F6

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAFX7Mvbtfvjr7F/YRAnKoAJ43FwGrkJVPnipLlHkrSL+mh1dPUQCfSmNq
GzQkzArZc9N9TJVYspHBvKo=
=ztmn
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F32568)

012004.gaim.txt (PacketStormID:F32568)
2004-01-26 00:00:00
Stefan Esser  security.e-matters.de
advisory,remote,overflow
CVE-2004-0005,CVE-2004-0006,CVE-2004-0007,CVE-2004-0008
[点击下载]

GAIM versions 0.75 and below are vulnerable to twelve overflows that allow for remote compromise.

e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: 12 x Gaim remote overflows
 Release Date: 2004/01/26
Last Modified: 2004/01/26
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: Gaim <= 0.75
     Severity: 12 vulnerabilities were found in the instant 
               messenger GAIM that allow remote compromise
         Risk: Critical
Vendor Status: Vendor has fixed in CVS, but feels not ready for
               release because of problems with HEAD
    Reference: http://security.e-matters.de/advisories/012004.html


Overview:

   Gaim is a multi-protocol instant messaging client for Linux, BSD, 
   MacOS X, and Windows. It is compatible with AIM (Oscar and TOC 
   protocols), ICQ, MSN Messenger, Yahoo, IRC, Jabber, Gadu-Gadu, 
   and Zephyr networks. It is a very popular choice among the users
   of instant messaging networks and especially in the community of
   migrated windows users. 
   
   While developing a custom add-on, an integer overflow in the 
   handling of AIM DirectIM packets was revealed that could lead 
   to a remote compromise of the IM client. After disclosing this
   bug to the vendor, they had to make a hurried release because
   of a change in the Yahoo connection procedure that rendered
   GAIM useless. Unfourtunately at the same time a closer look
   onto the sourcecode revealed 11 more vulnerabilities.
   
   The 12 identified problems range from simple standard stack
   overflows, over heap overflows to an integer overflow that can
   be abused to cause a heap overflow. Due to the nature of instant
   messaging many of these bugs require man-in-the-middle attacks
   between client and server. But the underlying protocols are
   easy to implement and MIM attacks on ordinary TCP sessions is
   a fairly simple task.
   
   In combination with the latest kernel vulnerabilities or the 
   habit of users to work as root/administrator these bugs can 
   result in remote root compromises.
   
      
Details:
   
   While auditing the Gaim source code the following 12 
   vulnerabilities were discovered:
   
   Overflows in YMSG protocol (yahoo messenger) handler
   ----------------------------------------------------
   
   01) Yahoo Octal-Encoding Decoder Overflow
   02) Yahoo Octal-Encoding Decoder Out-Of-Bounds Overflow
   03) Yahoo Web Cookie Parser Overflow
   04) Yahoo Login Page Name Parser Overflow             
   05) Yahoo Login Page Value Parser Overflow            
   06) Yahoo Packet Parser Overflow
   
   Overflows in oscar protocol (AIM) handler
   -----------------------------------------
   
   07) AIM/Oscar DirectIM Integer Overflow
    
   Overflows in utility functions
   (called in various protocols)
   ------------------------------
    
   08) Quoted Printable Decoder Overflow
   09) Quoted Printable Decoder Out-Of-Bounds Overflow
   10) URL Parser Function Overflow             
   11) Extract Info Field Function Overflow
   
   Overflows that do not fit into
   the other categories
   ------------------------------
   
   12) HTTP Proxy Connect Overflow
 

   Detailed Bug Description  
   ------------------------
 
   [01 - Yahoo Octal-Encoding Decoder Overflow]
   [02 - Yahoo Octal-Encoding Decoder Out-Of-Bounds Overflow]
   
   When the Yahoo Messenger handler decodes an octal value for
   email notification functions 2 different kind of overflows
   can be triggered
   
   Affected version: 0.75 (only)
   File:             gaim/src/protocols/yahoo/yahoo.c
   Function:         yahoo_decode()
   Code:
   
      static char *yahoo_decode(const char *text)
      {
         char *converted;
         char *p, *n, *new;
      
         n = new = g_malloc(strlen (text) + 1);
      
         for (p = (char *)text; *p; p++, n++) {
            if (*p == '\\') {
               sscanf(p + 1, "%3o\n", (int *)n); <-------- [01]
               p += 3;  <--------------------------------- [02]
            }
            else
               *n = *p;
         }
      
         *n = '\0';
         ...
      
   The way sscanf is used, it will always write 4 bytes to the 
   allocated buffer. The author did not see the possibility of 
   malformed input like "\1" (the backslash is only a backslash) it
   is possible to write 1-2 zero bytes over the buffer boundaries.
   On linux this is exploitable like any heap off by one into the
   malloc() chunks. The second vulnerability is that no matter how
   many bytes sscanf() consumes it always increases the pointer
   with assumed 4 bytes. This can result in overjumping the
   terminating zero byte and with special prepared memory after
   the string it is possible to overwrite the heap with an 
   arbitrary amount of bytes.
      
   These bugs are counted as 2 because for most people [02] is not
   obvious. As an example the vendor fixed only [01] first, because
   my description was not good enough. Additionally the misuse of 
   sscanf() caused an incompatibility to all big endian platforms.
     
   
   [03 - Yahoo Web Cookie Parser Overflow]
   
   When parsing the cookies within the HTTP reply header of a
   yahoo web connection a bufferoverflow can happen.
   
   Affected version: <= 0.75
   File:             gaim/src/protocols/yahoo/yahoo.c
   Function:         yahoo_web_pending()
   Code:
   
      void yahoo_web_pending(gpointer data, gint source, ...
      { 
         GaimConnection *gc = data;
         GaimAccount *account = gaim_connection_get_account(gc);
         struct yahoo_data *yd = gc->proto_data;
         char buf[1024], buf2[256], *i = buf, *r = buf2;
         int len, o = 0;
   
         len = read(source, buf, sizeof(buf));
         ...
         while ((i = strstr(i, "Set-Cookie: ")) && 0 < 2) {
            i += strlen("Set-Cookie: ");
            for (;*i != ';'; r++, i++) {
               *r = *i;
            }
            *r=';';
            r++;
            ...
         }
         ...
   
   Here all cookie data contained in the first 1024 byte of a
   HTTP reply header is copied into a 256 byte buffer without
   a size check. Because source and destination buffer are
   both on the stack and stack layout will most probably
   result in the smaller buffer overflowing into the smaller
   one this bug is believed to be not exploitable with the
   normal stack layout. Note also the typo in the while()
   condition 0 < 2 which should be o < 2
         
   
   [04 - Yahoo Login Page Name Parser Overflow]
   [05 - Yahoo Login Page Value Parser Overflow]
   
   When parsing the Yahoo Login Webpage the YMSG protocol overflows
   stachbuffers if the webpage returns oversized values.

   Affected version: <= 0.75
   File:             gaim/src/protocols/yahoo/yahoo.c
   Function:         yahoo_login_page_hash()
   Code:
   
      static 
      GHashTable *yahoo_login_page_hash(const char *buf,size_t len)
      {
         GHashTable *hash = g_hash_table_new_full(g_str_hash, g_s...
         const char *c = buf;
         char *d;
         char name[64], value[64];
         while ((c < (buf + len)) && (c = strstr(c, "<input "))) {
            c = strstr(c, "name=\"") + strlen("name=\"");
            for (d = name; *c!='"'; c++, d++) <----------- [04]
               *d = *c;                       <---------/
            *d = '\0';
            d = strstr(c, "value=\"") + strlen("value=\"");
            if (strchr(c, '>') < d)
               break;
            for (c = d, d = value; *c!='"'; c++, d++) <--- [05]
               *d = *c;   <-----------------------------/
            *d = '\0';
            g_hash_table_insert(hash, g_strdup(name), g_strdup(value));
         }
         return hash;
      }

   The content of the yahoo login webpage is trusted although it
   could be changed with a simple man-in-the-middle attack on the
   HTTP session. name and value are filled directly from the page
   without any kind of size check. This results in two independent
   ways to overflow the stack.

   
   [06 - Yahoo Packet Parser Overflow]
   
   A Yahoo Messenger packet consist of a header and a list of keys
   with their associated values. When reading an oversized keyname
   a standard stackoverflow can be triggered. This is nost probably 
   the most dangerous discovered vulnerability because the nature 
   of the bug makes it very easy to exploit and additonally a TCP 
   man-in-the-middle attack is NOT needed. It is possible to send 
   a malicious YMSG packet to the yahoo server so that it will
   be forwarded like any normal message.

   Affected version: <= 0.75
   File:             gaim/src/protocols/yahoo/yahoo.c
   Function:         yahoo_packet_read()
   Code:
   
      static void yahoo_packet_read(struct yahoo_packet *pkt, 
                                              guchar *data, int len)
      {
         int pos = 0;
   
         while (pos + 1 < len) {
            char key[64], *value = NULL, *esc;
            int accept;
            int x;
   
            struct yahoo_pair *pair = g_new0(struct yahoo_pair, 1);
   
            x = 0;
            while (pos + 1 < len) {
               if (data[pos] == 0xc0 && data[pos + 1] == 0x80)
               break;
               key[x++] = data[pos++];  <----------------- [06]
            }
            key[x] = 0;
            pos += 2;
            ...

   Everytime the YMSG handler receives a complete packet it will
   give it this function to split it into its keys and values.
   Because the keyname is copied without any kind of size check
   into the key variable which is a 64 byte stackbuffer it is very
   easy to exploit.
   NOTE: This bug is also exploitable on systems with non executable
   stacks, or stack overflow detections as long free() exploits are
   possible on that platform,
   
   
   [07 - AIM/Oscar DirectIM Integer Overflow]
   
   Integer Overflow when allocating memory for a directIM packet
   results in heap overflow. directIM is a client 2 client protocol
   and therefore does not require a mim.
      
   Affected version: <= 0.74
   File:             gaim/src/protocols/oscar/ft.c
   Function:         handlehdr_odc()
   Code:
   
      static int handlehdr_odc(aim_session_t *sess, aim_...
      {
         aim_frame_t fr;
         int ret = 0;
         aim_rxcallback_t userfunc;
         fu32_t payloadlength;
         fu16_t flags, encoding;
         char *snptr = NULL;
   
         fr.conn = conn;
   
         /* AAA - ugly */
         aim_bstream_setpos(bs, 20);
         payloadlength = aimbs_get32(bs);
   
         ...
   
         if (payloadlength) {
            char *msg;
            ...

            if (!(msg = calloc(1, payloadlength+1))) {  <--- [07]
               free(snptr);
               return -ENOMEM;
            }

            while (payloadlength - recvd) {
               if (payloadlength - recvd >= 1024)
                  i = aim_recv(conn->fd, &msg[recvd], 1024);
               else
      ...
   
   Within this code snipset payloadlength is taken directly from the
   network and passed to the calloc() function in an unsafe manner.
   
   A user supplied payloadlength of UINT_MAX (0xffffffff) will cause
   an integer overflow within the second parameter of calloc() and
   therefore only allocate a 0 byte buffer. Please notice that this
   bug is not an integer overflow due to the multiplication within 
   calloc() and therefore it is not catched by the recent security
   patches to calloc() on different platforms. Please also note that
   calloc(1, 0) will not return a NULL pointer but a pointer into
   the legal heap on at least all tested platforms (f.e. linux, bsd)
   On BSD systems this is configureable but it defaults to this
   behaviour. After allocating the 0 byte buffer aim_recv() is called
   repeatedly by the while loop to read and overwrite with up to 4GB
   of data.


   [08 - Quoted Printable Decoder Overflow]
   [09 - Quoted Printable Decoder Out-Of-Bounds Overflow]
   
   When the MIME decoder decosed a quoted printable encoded string
   for email notification 2 different kind of overflows can be
   triggered.
      
   Affected version: 0.75 (only)
   File:             gaim/src/util.c
   Function:         quotedp_decode()
   Code:
      
      void
      gaim_quotedp_decode(const char *str, char **ret_str, int ...
      {
         char *p, *n, *new;
   
         n = new = g_malloc(strlen (str) + 1);
   
         for (p = (char *)str; *p; p++, n++) {
            if (*p == '=') {
               sscanf(p + 1, "%2x\n", (int *)n); <-------- [08]
               p += 2;  <--------------------------------- [09]
            }
            else if (*p == '_')
                    *n = ' ';
                 else
                    *n = *p;
        }
   
        *n = '\0';
        ...
        
   Because these bugs are very similar to [01] and [02] only the
   vulnerable code snipset is shown here. For an explanation read
   the yahoo_decode() vulnerability description.
   
      
   [10 - URL Parser Function Overflow]
   
   At various placed this utility function is used to split an
   url into its parts. Because temporary fixed size stackbuffers
   are used in an unsafe way a standard stackoverflow can be
   caused.
   
   Affected version: <= 0.75
   File:             gaim/src/util.c
   Function:         gaim_url_parse()
   Code:
   
      gboolean
      gaim_url_parse(const char *url, char **ret_host,
                      int *ret_port, char **ret_path)
      {
         char scan_info[255];
         char port_str[5];
         int f;
         const char *turl;
         char host[256], path[256];
         int port = 0;
         /* hyphen at end includes it in control set */
         static char addr_ctrl[] = "A-Za-z0-9.-";
         static char port_ctrl[] = "0-9";
         static char page_ctrl[] = "A-Za-z0-9.~_/:*!@&%%?=+^-";
   
         ...
         g_snprintf(scan_info, sizeof(scan_info),
                       "%%[%s]:%%[%s]/%%[%s]", addr_ctrl, 
                       port_ctrl, page_ct

         f = sscanf(url, scan_info, host, port_str, path); <-- [10]
         ...

   Here sscanf() is again used in an unsafe manner. When this
   function is called with an oversized url, which can be triggered
   from several protocol handlers in different ways sscanf() will
   overwrite the stackbuffers host and path. The problem at this
   point is, that it is only possible to overwrite the buffers with
   a limited characterset which makes exploitation tricky.
   
   
   [11 - Extract Info Field Function Overflow]
   
   At various places this utility function is called to copy the
   data between 2 tokens into a fixed size stackbuffer without a
   size check.

   Affected version: <= 0.74
   File:             gaim/src/util.c
   Function:         gaim_markup_extract_info_field()
   Code:
   
      ...
      const char *p, *q;
      char buf[1024];
   
      ...
      p = strstr(str, start_token);
      ...
      p += strlen(start_token) + skip;
      ...
      q = strstr(p, end_token);
      
      if (q != NULL && (!no_value_token ||
               (no_value_token && strncmp(p, no_value

      {
         ...
         if (is_link)
         {
            strcat(dest_buffer, "<br><a href=\"");
            memcpy(buf, p, q - p); <---------------------- [11]
            buf[q - p] = '\0';
            ...
            
   Here it is obvious that if q - p is bigger than 1024 bytes
   memcpy() will overwrite the stack which will result in a
   standard stack overflow. At the moment this routine is
   called from within the get_user_info functions of the MSN
   and YMSG protocol handlers.


   [12 - HTTP Proxy Connect Overflow]
   
   When Gaim is setup to use a HTTP proxy for connecting to the
   server a malicious HTTP proxy can exploit it.
   
   Affected version: <= 0.75
   File:             gaim/src/proxy.c
   Function:         http_canread()
   Code:
   
      static void
      http_canread(gpointer data, gint source, GaimInputCondit...
      {
         int nlc = 0;
         int pos = 0;
         int minor, major, status, error=0;
         struct PHB *phb = data;
         char inputline[8192], *p;
   
         gaim_input_remove(phb->inpa);
   
         while ((nlc != 2) && 
                (read(source, &inputline[pos++], 1) == 1)) {
            if (inputline[pos - 1] == '\n')
               nlc++;
            else if (inputline[pos - 1] != '\r')
                    nlc = 0;
        }
        inputline[pos] = '\0';
        ...
    
   Here the author never thought about the possibility that a
   proxy server could be malicious. The inputline is read into
   the 8192 byte buffer byte after byte until a double \r\n is
   found. Because there is no size check at all the buffer will
   overflow as soon the proxy sends more than 8192 bytes in a
   line. This bug is exploitable even if stack overwrite
   protections are in place because it is possible to overwrite
   the pointer phb which points to a struct that contains a
   callback function which is later called in the function.
   By overwriting the pointer and so controlling the callback
   function pointer it is possible to gain control over the
   instruction pointer before the function is left.


Proof of Concept:

   e-matters is not going to release exploit for any of the these 
   vulnerability to the public. 
  

CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) 
   has assigned the following names to these issues. 
   
   CAN-2004-0005: version 0.75 only, buffer overflows:

      [01 - Yahoo Octal-Encoding Decoder Overflow]
      [02 - Yahoo Octal-Encoding Decoder Out-Of-Bounds Overflow]
      [08 - Quoted Printable Decoder Overflow]
      [09 - Quoted Printable Decoder Out-Of-Bounds Overflow]

   CAN-2004-0006: 0.75 and earlier, buffer overflows:

      [03 - Yahoo Web Cookie Parser Overflow]
      [04 - Yahoo Login Page Name Parser Overflow]
      [05 - Yahoo Login Page Value Parser Overflow]
      [06 - Yahoo Packet Parser Overflow]
      [10 - URL Parser Function Overflow]
      [12 - HTTP Proxy Connect Overflow]

   CAN-2004-0007: 0.74 and earlier, buffer overflows:

      [11 - Extract Info Field Function Overflow]

   CAN-2004-0008: 0.74 and earlier, integer overflow:

      [07 - AIM/Oscar DirectIM Integer Overflow]


Disclosure Timeline:

   04. January 2004 - The Oscar filetransfer bug was sent to the 
                      Gaim vendor by email. Within an hour the bug
                      was fixed within the CVS
   10. January 2004 - Gaim vendor released version 0.75 because of
                      a Yahoo protocol change problem(?)
                      Some freetime allowed deeper analysis of the
                      new version. This revealed more bugs: 1 fixed
                      in 0.75, some new in 0.75 and some old which 
                      are still in 0.75. All these bugs were again
                      mailed to the vendor
   15. January 2004 - Vendor was contacted with a patch because
                      they had not fixed the bugs yet. Our Patch 
                      was applied in the same night
   16. January 2004 - Vendor-sec was contacted to coordinate the 
                      disclosure process. Vendor was asked by email
                      when 0.76 is about to come out and that this
                      should be as soon as possible because the
                      bugfixes were visible in their CVS with
                      explicit commit messaged. No response to this
                      mail until today
   23. January 2004 - Vendor was notified about public disclosure
                      at the 26th.
   25. January 2004 - Notification by the vendor that gaim 0.76 
                      releasedate is not planned yet.
   26. January 2004 - Public Disclosure


Recommendation:

   Because there is no official new version out yet, you can download
   a diff against version 0.75 from
   
   http://security.e-matters.de/patches/gaim-0.75-fix.diff
   
   This patch was done by the FreeBSD security team. It is different
   from the official patches in the Gaim CVS. We suggest that you
   upgrade as soon as possible, because the explicit commit message
   into the official CVS tree seems to have leaked. At least it was
   reported to us that a link to the message on the sourceforge 
   WebCVS was pasted into an IRC channel.
   
   
GPG-Key:

   http://security.e-matters.de/gpg_key.asc
    
   pub  1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
   Key fingerprint = 43DD 843C FAB9 832A E5AB  CAEB 81F2 8110 75E7 AAD6


Copyright 2004 Stefan Esser. All rights reserved.




-- 

--------------------------------------------------------------------------
 Stefan Esser                                        s.esser@e-matters.de
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/
--------------------------------------------------------------------------
    

- 漏洞信息

3733
Gaim Extract Info Field Function Buffer Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

A remote overflow exists in Gaim. The Extract Info Field Function combines data from two tokens into a fixed-length stack buffer without properly checking the size of the resulting string, resulting in a buffer overflow. With a specially crafted set of data, an attacker can overflow the buffer and possibly execute arbitrary code on the system, resulting in a loss of integrity.

- 时间线

2004-01-27 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.76 or higher, as it has been reported to fix this vulnerability. The FreeBSD security team has released an unoffcial patch which also corrects this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站