Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.

Stefan Esser of e-matters found almost a dozen remotely exploitable vulnerabilities in Gaim. From the e-matters advisory :

While developing a custom add-on, an integer overflow in the handling of AIM DirectIM packets was revealed that could lead to a remote compromise of the IM client. After disclosing this bug to the vendor, they had to make a hurried release because of a change in the Yahoo connection procedure that rendered GAIM useless. Unfourtunately at the same time a closer look onto the sourcecode revealed 11 more vulnerabilities.

The 12 identified problems range from simple standard stack overflows, over heap overflows to an integer overflow that can be abused to cause a heap overflow. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. But the underlying protocols are easy to implement and MIM attacks on ordinary TCP sessions is a fairly simple task.

In combination with the latest kernel vulnerabilities or the habit of users to work as root/administrator these bugs can result in remote root compromises.

Stefan Esser discovered several security related problems in Gaim, a multi-protocol instant messaging client. Not all of them are applicable for the version in Debian stable, but affected the version in the unstable distribution at least. The problems were grouped for the Common Vulnerabilities and Exposures as follows :

  - CAN-2004-0005     When the Yahoo Messenger handler decodes an octal value     for email notification functions two different kinds of     overflows can be triggered. When the MIME decoder     decoded a quoted printable encoded string for email     notification two other different kinds of overflows can     be triggered. These problems only affect the version in     the unstable distribution.

  - CAN-2004-0006

    When parsing the cookies within the HTTP reply header of     a Yahoo web connection a buffer overflow can happen.
    When parsing the Yahoo Login Webpage the YMSG protocol     overflows stack buffers if the web page returns     oversized values. When splitting a URL into its parts a     stack overflow can be caused. These problems only affect     the version in the unstable distribution.

  When an oversized keyname is read from a Yahoo Messenger packet a   stack overflow can be triggered. When Gaim is setup to use an HTTP   proxy for connecting to the server a malicious HTTP proxy can   exploit it. These problems affect all versions Debian ships.
  However, the connection to Yahoo doesn't work in the version in   Debian stable.

  - CAN-2004-0007

    Internally data is copied between two tokens into a     fixed size stack buffer without a size check. This only     affects the version of gaim in the unstable     distribution.

  - CAN-2004-0008

    When allocating memory for AIM/Oscar DirectIM packets an     integer overflow can happen, resulting in a heap     overflow. This only affects the version of gaim in the     unstable distribution.

The remote host seems to be running either Gaim, a popular open-source multi-protocol instant messenger, either Ultramagnetic, a clone of Gaim that includes encryption features. It is reported that the version of the running software is prone to 12 security problems including buffer and stack overflows. These vulnerabilities may permit an attacker to execute arbitrary code on the remote host.

A number of vulnerabilities were discovered in the gaim instant messenger program by Steffan Esser, versions 0.75 and earlier. Thanks to Jacques A. Vidrine for providing initial patches.

Multiple buffer overflows exist in gaim 0.75 and earlier: When parsing cookies in a Yahoo web connection; YMSG protocol overflows parsing the Yahoo login webpage; a YMSG packet overflow; flaws in the URL parser;
and flaws in the HTTP Proxy connect (CAN-2004-006).

A buffer overflow in gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers (CAN-2004-007).

An integer overflow in gaim 0.74 and earlier, when allocating memory for a directIM packet results in a heap overflow (CVE-2004-0008).

Update :

The patch used to correct the problem was slightly malformed and could cause an infinite loop and crash with the Yahoo protocol. The new packages have a corrected patch that resolves the problem.

Updated Gaim packages that fix a pair of security vulnerabilities are now available.

Gaim is an instant messenger client that can handle multiple protocols.

Stefan Esser audited the Gaim source code and found a number of bugs that have security implications. Many of these bugs do not affect the version of Gaim distributed with version 2.1 of Red Hat Enterprise Linux.

A buffer overflow exists in the HTTP Proxy connect code. If Gaim is configured to use an HTTP proxy for connecting to a server, a malicious HTTP proxy could run arbitrary code as the user running Gaim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0006 to this issue.

An integer overflow in Gaim 0.74 and earlier, when allocating memory for a directIM packet for AIM/Oscar, results in heap overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0008 to this issue.

Users of Gaim should upgrade to these erratum packages, which contain a backported security patch correcting this issue.

Red Hat would like to thank Steffan Esser for finding and reporting these issues and Jacques A. Vidrine for providing initial patches.

Updated Gaim packages that fix a number of serious vulnerabilities are now available.

Gaim is an instant messenger client that can handle multiple protocols.

Stefan Esser audited the Gaim source code and found a number of bugs that have security implications. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. However at least one of the buffer overflows could be exploited by an attacker sending a carefully-constructed malicious message through a server.

The issues include :

Multiple buffer overflows that affect versions of Gaim 0.75 and earlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol overflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0006 to these issues.

A buffer overflow in Gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0007 to this issue.

An integer overflow in Gaim 0.74 and earlier, when allocating memory for a directIM packet results in heap overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0008 to this issue.

All users of Gaim should upgrade to these erratum packages, which contain backported security patches correcting these issues.

Red Hat would like to thank Steffan Esser for finding and reporting these issues and Jacques A. Vidrine for providing initial patches.

ID	Name	Product	Family	Severity
37025	FreeBSD : Several remotely exploitable buffer overflows in gaim (6fd02439-5d70-11d8-80e3-0020ed76ef5a)	Nessus	FreeBSD Local Security Checks	high
15271	Debian DSA-434-1 : gaim - several vulnerabilities	Nessus	Debian Local Security Checks	high
2161	Gaim / Ultramagnetic Multiple Security Vulnerabilities	Nessus Network Monitor	Internet Messengers	medium
14106	Mandrake Linux Security Advisory : gaim (MDKSA-2004:006-1)	Nessus	Mandriva Local Security Checks	high
12459	RHEL 2.1 : gaim (RHSA-2004:045)	Nessus	Red Hat Local Security Checks	high
12455	RHEL 3 : gaim (RHSA-2004:033)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2004-0006

critical

Tenable Plugins

high

high

medium

high

high

high