Gaim Vulnerability
| Title | Groupware message receive integer overflow |
|---|
| Date | 26 August 2004 |
|---|
| CVE Name | CAN-2004-0754 |
|---|
| Discovered By | Sean ("infamous42md") |
|---|
| Summary | Carefully crafted messages could cause a buffer overflow. |
|---|
| Description | Integer overflow in memory allocation results in heap overflow. By passing the size variable as ~0, integer overflows to 0 when 1 is added in g_alloc(). a malloc(0) call results in 16 bytes of memory being allocated on IA- 32. Then we can overflow the heap when nm_read_all() is called next step. usually cases like this suck for exploitation, because the len (~0) is so large that a following call to memcpy() or strcpy() will just run into kernel mem or unmapped address and fault. however in this case we read the data from the network via a read() call, so we can just stop sending data and close the connection to short out before ~0 bytes are read. however, this is triggered by input from the server, not directly from a client. someone running a malicious groupware server could leverage this to run arbitrary code on the client. |
|---|
| Fixed in Version | 0.82 |
|---|
| Fix | Bounds checking was added. |
|---|
Return to Index of Vulnerabilities
Gaim
