Pidgin MXIT read stage 0x3 Code Execution Vulnerability(CVE-2016-2376)

### DESCRIPTION A buffer overflows vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in arbitrary code execution. A malicious server or an attacker who intercepts the network traffic can send an invalid size for a packet which will trigger a buffer overflow. ### CVSSv3 SCORE 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H ### TESTED VERSIONS Pidgin 2.10.11 ### PRODUCT URLs https://www.pidgin.im/ ### DETAILS The function mxitcbrx in the file mxit/protocol.c is a callback function will be called by Pidgin whenever data is sent from the MXIT server. When data is received, the size of the incoming packet will also be received at line 2825. There is a check at line 2826 to ensure that this data is not larger than the maximum size of that an MXIT packet can be which is defined as CPMAXPACKET. ``` 2825 session->rx_res = atoi( &session->rx_lbuf[3] ); 2826 if ( session->rx_res > CP_MAX_PACKET ) { purple_connection_error( session->con, _( "A connection error occurred to MXit. (read stage 0x03)" ) ); } ``` This is also the size of the buffer that the data is read into. However if the size is larger than CPMAXPACKET, an error will be logged but execution will simply continue. Moreover, if the size is negative (this is possible since rx_res is an int) then no error will be logged and execution will also continue. This size will be subsequently used in a read operation at line 2846. ``` 2846 len = read( session->fd, &session->rx_dbuf[session->rx_i], session->rx_res ); ``` ### TIMELINE * 2016-04-13 - Vendor Notification * 2016-06-21 - Public Disclosure