||Home : Advisories : Buffer overflow in Gaim (remote)|
||Buffer overflow in Gaim (remote)
||9th November 2000
Author: Stan Bubrouski (firstname.lastname@example.org)
Date: November 9, 2000
Versions affected: 0.10.3 (current) and previous 0.10.x versions.
Severity: A remote user could potentially execute shell code as the user Gaim is running as.
Problem:There is a buffer overflow in Gaim's parsing of HTML tags when using the OSCAR
protocol which allows shell code to be executed when recieving a message with a large HTML
tag (i.e. ). The size of the static buffer which is overflowed is about 4100. Due
to the way AIM's protocols work, exploiting this is possible but difficult because:
1) All communication aside from file transfers is done anonymously through a server without an
IP being exchanged between two clients.
2) A special client would have to constructed to login to the AIM servers and send the specially
crafted message required to exploit this.
3) The TOC protocol is the default protocol used by Gaim and it is not vulnerable to this overflow.
4) Determining what client a user is using is difficult in most circumstances.
5) With the server between the two clients using one to exploit the other could not result in a
remote shell because the server is between the two and can't forward the shell, although a
remote xterm would do the trick.
No known exploits for this currently exist.
Solution:The overflow is fixed in the Gaim CVS tree as of 11/10/2000, and a patch (provided
by Eric Warmenhoven of the gaim project) is available here for versions 0.10.3 and before.
Latest version of this advisory and patch are available at:
©2000 Stan Bubrouski
Stan Bubrouski email@example.com
316 Huntington Ave. Apt #676, Boston, MA 02115 (617) 377-7222