Monday, January 27, 2014

VRT-2013-1004 (CVE-2013-6490): Buffer overflow in SIMPLE header parsing

Sourcefire Vulnerability Report VRT-2013-1004 (CVE-2013-6490):Buffer overflow in SIMPLE header parsing

Description

An exploitable remote code execution vulnerability exists in Pidgin's implementation of SIP/SIMPLE message handling. An attacker who can control the Content-Length of a SIP/SIMPLE message can cause an allocation to return NULL which can later be used to write into the lowest page of memory.

Tested Versions

Pidgin 2.10.7

Coverage

Prior coverage through a SIP preprocessor alert, GID 140 SID 16.

Details

 In sipmsg_parse_header() in file pidgin-2.10.7\libpurple\protocols\simple\sipmsg.c at line 114, the length of the message is read from an incoming message into an integer: 

  164           tmp2 = sipmsg_find_header(msg, "Content-Length");
  115           if (tmp2 != NULL)
  116               msg->bodylen = strtol(tmp2, NULL, 10);

 
The above sipmsg_parse_header() is called from process_input() in file pidgin-2.10.7\libpurple\protocols\simple\simple.c at line 1631. If the message specifies a negative bodylen (-1), then restlen will be larger than bodylen, which means the if statement at line 1642 will be entered. The following allocation of bodylen + 1 evaluates to a size of zero:

 1642           if(restlen >= msg->bodylen) {
 1643               dummy = g_malloc(msg->bodylen + 1);
 1644               memcpy(dummy, cur, msg->bodylen);


Unlike libc's memory allocator, gmalloc returns NULL when it is called with a size of zero. As a result of that behavior, this ends up being a a write to the NULL page rather than the typical heap overflow. Writes to the zero page are exploitable if an attacker can cause enough allocations and exhaust enough of the memory address range to make the system map the low page.

No comments:

Post a Comment