Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Advisory: Gaim remote vulnerability
From: Stan Bubrouski (stanCCS.NEU.EDU)
Date: Mon Nov 13 2000 - 20:49:23 CST

Author: Stan Bubrouski (stanccs.neu.edu)
Date: November 9, 2000
Package: Gaim
Versions affected: 0.10.3 (current) and previous 0.10.x versions.
Severity: A remote user could potentially execute shell code as the user Gaim is running as.

Problem:There is a buffer overflow in Gaim's parsing of HTML tags when using the OSCAR
protocol which allows shell code to be executed when recieving a message with a large HTML
tag (i.e. <AAAA...AAA>). The size of the static buffer which is overflowed is about 4100. Due
to the way AIM's protocols work, exploiting this is possible but difficult because:
1) All communication aside from file transfers is done anonymously through a server without an
    IP being exchanged between two clients.
2) A special client would have to constructed to login to the AIM servers and send the specially
    crafted message required to exploit this.
3) The TOC protocol is the default protocol used by Gaim and it is not vulnerable to this overflow.
4) Determining what client a user is using is difficult in most circumstances.
5) With the server between the two clients using one to exploit the other could not result in a
     remote shell because the server is between the two and can't forward the shell, although a
     remote xterm would do the trick.

No known exploits for this currently exist.

Solution:The overflow is fixed in the Gaim CVS tree as of 11/10/2000, and a patch (provided
by Eric Warmenhoven of the gaim project) is available here for versions 0.10.3 and before.

Latest version of this advisory and patch are available at:
Advisory: http://www.ccs.neu.edu/home/stan/security/gaim/index.html
Patch: http://www.ccs.neu.edu/home/stan/security/gaim/gaimfix.patch

2000 Stan Bubrouski

Stan Bubrouski                                       stanccs.neu.edu
316 Huntington Ave. Apt #676, Boston, MA 02115       (617) 377-7222