Pidgin MXIT MultiMX Message Code Execution Vulnerability(CVE-2016-2374)

### DESCRIPTION An exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution. ### CVSSv3 SCORE 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H ### TESTED VERSIONS Pidgin 2.10.11 ### PRODUCT URLs https://www.pidgin.im/ ### DETAILS The function multimxmessagereceived defined in mxit/multimx.c will be called when a message is received from a MultiMX room. This message will be parsed and it will check if the message is coming from a particular user (if it contains a nickname) or from the system. If the received message starts with a `<` then a nickname is embedded and the server will search for a corresponding `>`. The code to handle is at lines 358-374: ``` 354 if (msg[0] == '<') { /* Message contains embedded nickname - must be from contact */ unsigned int i; for (i = 1; i < strlen(msg); i++) { /* search for end of nickname */ if (msg[i] == '>') { msg[i] = '\0'; g_free(mx->from); mx->from = g_strdup(&msg[1]); 367 msg = &msg[i+2]; /* skip '>' and newline */ break; } } /* now do markup processing on the message */ mx->chatid = multimx->chatid; 374 mxit_parse_markup(mx, msg, strlen(msg), msgtype, msgflags); ``` If a message only contains a nickname followed by a NULL, then msg at line 367 will point out of bounds of the string. This string is subsequently processed for markup at line 374. The mxitparsemarkup function allows for a number of scenarios to exploit this out-of-bounds access vulnerability. If the out-of-bounds data contains some user-controlled values, then the attacker can direct the markup down a number of paths. This can include an information leak where the markup contains a directive to download an emoticon string or a command to download an image (MXITCMDIMAGE), both will send data from the string back via a URL request. Another avenue of attack is to perform an out-of-bounds write which could potentially lead to code execution. The string being parsed is written to at multiple locations, including at line 578 in mxit/formcmds.c: ``` start = message + 2; end = strstr(start, ":"); if (end) { /* end of a command found */ 578 *end = '\0'; /* terminate command string */ And line 864 of of markup.c: ch = strstr( &message[i + 1], "$" ); if ( ch ) { /* end found */ 864 *ch = '\0'; ``` ### TIMELINE * 2016-04-13 - Vendor Notification * 2016-06-21 - Public Disclosure