From: Mark D. <the...@us...> - 2004-08-26 05:22:55
|
Update of /cvsroot/gaim/web/htdocs/security In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19329/htdocs/security Added Files: index.php Log Message: These are my web changes. I'm not going to update the site until someone figures out what to do with those crashes --- NEW FILE: index.php --- <?php if (isset($_GET["id"])) { $id = intval($_GET["id"]); // Read in the ID of the vulnerability the user wants to view } $num = 0; $title[$num] = "MSN strncpy buffer overflow"; $date[$num] = "22 August 2004"; $cve[$num] = "CAN-2004-0500"; $summary[$num] = "Possible for a remote MSN user to cause a buffer overflow."; $description[$num] = "In two places in the MSN protocol plugins (object.c and slp.c), strncpy was used incorrectly; the size of the array was not checked before copying to it. Both bugs affect MSN's MSNSLP protocol, which is peer-to-peer, so this could potentially be easy to exploit."; $fix[$num] = "Bounds checking was added in both places."; $fixedversion[$num] = "0.82"; $num++; $title[$num] = "Smiley theme installation lack of escaping"; $date[$num] = "22 August 2004"; $cve[$num] = "CAN-2004-0784"; $summary[$num] = "Dragging a carefully crafted smiley theme filename onto Gaim could cause arbitrary command execution."; $description[$num] = "To install a new smiley theme, a user can drag a tarball from a graphical file manager, or a hypertext link to one from a web browser. When a tarball is dragged, Gaim executes a shell command to untar it. However, it does not escape the filename before sending it to the shell. Thus, a specially crafted filename could execute arbitrary commands if the user could be convinced to drag a file into the smiley theme selector."; $fix[$num] = "Filenames are now escaped using g_shell_quote()."; $fixedversion[$num] = "0.82"; $num++; $title[$num] = "Groupware message receive integer overflow"; $date[$num] = "26 August 2004"; $cve[$num] = "CAN-2004-0754"; $summary[$num] = "Carefully crafted messages could cause a buffer overflow."; $description[$num] = "Integer overflow in memory allocation results in heap overflow. By passing the size variable as ~0, integer overflows to 0 when 1 is added in g_alloc(). a malloc(0) call results in 16 bytes of memory being allocated on IA- 32. Then we can overflow the heap when nm_read_all() is called next step. usually cases like this suck for exploitation, because the len (~0) is so large that a following call to memcpy() or strcpy() will just run into kernel mem or unmapped address and fault. however in this case we read the data from the network via a read() call, so we can just stop sending data and close the connection to short out before ~0 bytes are read. however, this is triggered by input from the server, not directly from a client. someone running a malicious groupware server could leverage this to run arbitrary code on the client."; $fix[$num] = "Bounds checking was added."; $fixedversion[$num] = "0.82"; $num++; $title[$num] = "URL decode buffer overflow"; $date[$num] = "26 August 2004"; $cve[$num] = "CAN-2004-0785"; $summary[$num] = "Receiving exceedingly long URLs can cause a buffer overflow."; $description[$num] = "Buffer overflow. The URL is decoded into a static buffer of length 2048 bytes. I'm not sure it's possible to receive a URL longer than 2048 bytes, as many protocols have message limits that are shorter than that."; $fix[$num] = "A check to make sure the source string is shorter than 2048 bytes is performed."; $fixedversion[$num] = "0.82"; $num++; $title[$num] = "Local hostname resolution buffer overflow"; $date[$num] = "26 August 2004"; $cve[$num] = "CAN-2004-0785"; $summary[$num] = "Possible buffer overflow when resolving the hostname of the local computer."; $description[$num] = "Buffer overflow. If the local computers host name is not in /etc/hosts, and the computer performs a DNS query to obtain it's hostname when signing on to zephyr, it could receive a reply with a hostname greater than MAXHOSTNAMELEN (generally 64 bytes). If gethostbyname() does not ensure the size of hostent->h_name is less than MAXHOSTNAMELEN, this value would be copied to a buffer that is not large enough."; $fix[$num] = "The calls to copy the hostname were replaced with calls that check the length of the destination buffer."; $fixedversion[$num] = "0.82"; $num++; $title[$num] = "RTF message buffer overflow"; $date[$num] = "26 August 2004"; $cve[$num] = "CAN-2004-0785"; $summary[$num] = "Invalid rich text format messages could cause a buffer overflow."; $description[$num] = "Buffer overflow. There are some loops that read into fixed-sized buffers and do not check to make sure they are not writing too much."; $fix[$num] = "Added bounds checking to the two loops."; $fixedversion[$num] = "0.82"; $num++; $title[$num] = "Content-length DOS (malloc error)"; $date[$num] = "26 August 2004"; $cve[$num] = "N/A"; $summary[$num] = "Posibile for a malicious web server to provide a web page with a false content-length value which could crash Gaim."; $description[$num] = "Remote crash. When a remote server provides a large \"content-length\" header value, Gaim will attempt to allocate a buffer to store the content, however this allocation attempt will cause Gaim to crash if the length exceeds the amount of possible memory. This happens when reading profile information on some protocols. It also happens when smiley themes are installed via drag and drop."; $fix[$num] = "The call to g_malloc() was replaced with a call to g_try_malloc(). If the memory could not be allocated the function returns instead of causing the application to crash."; $fixedversion[$num] = "0.82"; $num++; ?> <?php require "base.inc.php"; start_html("Security Issues"); if (!isset($id) || !is_int($id) || ($id < 0) || ($id >= $num)) { // vulnerability index start_section("Index of Vulnerabilities"); ?> <p> This is a list of all potential Gaim security vulnerabilities occuring after August 1st, 2004. </p> <table class="dl_table"> <tr> <th class="dl_heading">Title</th> <th class="dl_heading">CVE Name</th> <th class="dl_heading">Date</th> </tr> <?php for ($i = 0; $i < $num; $i++) { print("<tr>"); print("<td class=\"dl_download\"><a href=\"?id=$i\">$title[$i]</a></td>"); print("<td class=\"dl_download\">$cve[$i]</td>"); print("<td class=\"dl_download\">$date[$i]</td>"); print("</tr>"); } print("</table>"); end_section(); // End vulnerability index } else { // individual vulnerability start_section("Gaim Vulnerability"); print("<table cellpadding=\"2\">"); print("<tr><th align=\"right\" valign=\"top\">Title</th><td>$title[$id]</td></tr>"); print("<tr><th align=\"right\" valign=\"top\">Date</th><td>$date[$id]</td></tr>"); print("<tr><th align=\"right\" valign=\"top\">CVE Name</th><td>$cve[$id]</td></tr>"); print("<tr><th align=\"right\" valign=\"top\">Summary</th><td>$summary[$id]</td></tr>"); print("<tr><th align=\"right\" valign=\"top\">Description</th><td>$description[$id]</td></tr>"); print("<tr><th align=\"right\" nowrap=\"true\" valign=\"top\">Fixed in Version</th><td>$fixedversion[$id]</td></tr>"); print("<tr><th align=\"right\" valign=\"top\">Fix</th><td>$fix[$id]</td></tr>"); print("</table>"); print("<p><a href=\"index.php\">Return to Index of Vulnerabilities</a></p>"); end_section(); // End individual vulnerability } end_html(); ?> |