[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Buffer overflow in Gaim (remote)

Title: Buffer overflow in Gaim (remote)
Released by: Stan Bubrouski
Date: 9th November 2000
Printable version: Click here
Author:   Stan Bubrouski (stan@ccs.neu.edu)

Date:   November 9, 2000

Package:  Gaim

Versions affected:  0.10.3 (current) and previous 0.10.x versions.

Severity:  A remote user could potentially execute shell code  as the user Gaim is running as.



Problem:There is a buffer overflow in Gaim's parsing of HTML tags when using the OSCAR

protocol which allows shell code to be executed when recieving a message with a large HTML

tag (i.e. ).  The size of the static buffer which is overflowed is about 4100.  Due

to the way AIM's protocols work, exploiting  this is possible but difficult because:

1) All communication aside from file transfers is done anonymously through a server without an

    IP being exchanged between two clients.

2) A special client would have to constructed to login to the AIM servers and send the specially

    crafted message required to exploit this.

3) The TOC protocol is the default protocol used by Gaim and it is not vulnerable  to this overflow.

4) Determining what client a user is using is difficult in most circumstances.

5) With the server between the two clients using one to exploit the other could not result in a

     remote shell because the server is between the two and can't forward the shell, although a

     remote xterm would do the trick.



No known exploits for this currently exist.



Solution:The overflow is fixed in the Gaim CVS tree as of 11/10/2000,  and a patch (provided

by Eric Warmenhoven of the gaim project) is available here for versions 0.10.3 and before.



Latest version of this advisory and patch are available at:

Advisory: http://www.ccs.neu.edu/home/stan/security/gaim/index.html

Patch: http://www.ccs.neu.edu/home/stan/security/gaim/gaimfix.patch



2000 Stan Bubrouski



--

Stan Bubrouski                                       stan@ccs.neu.edu

316 Huntington Ave. Apt #676, Boston, MA 02115       (617) 377-7222










(C) 1999-2000 All rights reserved.