Buffer overflow in the MSN protocol plugins (1) object.c and (2) slp.c for Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via MSNSLP protocol messages that are not properly handled in a strncpy call.

Sebastian Krahmer discovered several remotely exploitable buffer overflow vulnerabilities in the MSN component of gaim.

In two places in the MSN protocol plugins (object.c and slp.c), strncpy was used incorrectly; the size of the array was not checked before copying to it. Both bugs affect MSN's MSNSLP protocol, which is peer-to-peer, so this could potentially be easy to exploit.

An updated gaim package that fixes several security issues is now available.

Gaim is an instant messenger client that can handle multiple protocols.

Buffer overflow bugs were found in the Gaim MSN protocol handler. In order to exploit these bugs, an attacker would have to perform a man in the middle attack between the MSN server and the vulnerable Gaim client. Such an attack could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0500 to this issue.

Buffer overflow bugs have been found in the Gaim URL decoder, local hostname resolver, and the RTF message parser. It is possible that a remote attacker could send carefully crafted data to a vulnerable client and lead to a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0785 to this issue.

A shell escape bug has been found in the Gaim smiley theme file installation. When a user installs a smiley theme, which is contained within a tar file, the unarchiving of the data is done in an unsafe manner. An attacker could create a malicious smiley theme that would execute arbitrary commands if the theme was installed by the victim.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0784 to this issue.

An integer overflow bug has been found in the Gaim Groupware message receiver. It is possible that if a user connects to a malicious server, an attacker could send carefully crafted data which could lead to arbitrary code execution on the victims machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0754 to this issue.

Users of Gaim are advised to upgrade to this updated package which contains Gaim version 0.82 and is not vulnerable to these issues.

The remote host is affected by the vulnerability described in GLSA-200408-27 (Gaim: New vulnerabilities)

    Gaim fails to do proper bounds checking when:
    Handling MSN messages (partially fixed with GLSA 200408-12).
    Handling rich text format messages.
    Resolving local hostname.
    Receiving long URLs.
    Handling groupware messages.
    Allocating memory for webpages with fake content-length     header.
    Furthermore Gaim fails to escape filenames when using drag and drop     installation of smiley themes.
  Impact :

    These vulnerabilities could allow an attacker to crash Gaim or execute     arbitrary code or commands with the permissions of the user running     Gaim.
  Workaround :

    There is no known workaround at this time. All users are encouraged to     upgrade to the latest available version of Gaim.

The remote host is affected by the vulnerability described in GLSA-200408-12 (Gaim: MSN protocol parsing function buffer overflow)

    Sebastian Krahmer of the SuSE Security Team has discovered a remotely     exploitable buffer overflow vulnerability in the code handling MSN     protocol parsing.
  Impact :

    By sending a carefully-crafted message, an attacker may execute     arbitrary code with the permissions of the user running Gaim.
  Workaround :

    There is no known workaround at this time. All users are encouraged to     upgrade to the latest available version of Gaim.

The remote host appears to be running Gaim, a popular open-source multi-protocol instant messenger. It is reported that this version of Gaim is prone to several buffer overflows in the MSN protocol implementation. This vulnerability may permit an attacker to execute arbitrary code on the remote computer.

0.82 update contains many bug and security improvements.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Sebastian Krahmer discovered two remotely exploitable buffer overflow vulnerabilities in the gaim instant messenger. The updated packages are patched to correct the problems.

The remote host is missing the patch for the advisory SUSE-SA:2004:025 (gaim).


Gaim is an instant messaging client which supports a wide range of protocols.

Sebastian Krahmer of the SuSE Security Team discovered various remotely exploitable buffer overflows in the MSN-protocol parsing functions during a code review of the MSN protocol handling code.

Remote attackers can execute arbitrary code as the user running the gaim client.

The vulnerable code exists in SUSE Linux 9.1 only.

ID	Name	Product	Family	Severity
36550	FreeBSD : gaim remotely exploitable vulnerabilities in MSN component (5b8f9a02-ec93-11d8-b913-000c41e2cdad)	Nessus	FreeBSD Local Security Checks	high
14696	RHEL 3 : gaim (RHSA-2004:400)	Nessus	Red Hat Local Security Checks	high
14583	GLSA-200408-27 : Gaim: New vulnerabilities	Nessus	Gentoo Local Security Checks	high
14568	GLSA-200408-12 : Gaim: MSN protocol parsing function buffer overflow	Nessus	Gentoo Local Security Checks	high
2160	Gaim < 0.82 MSN Protocol Buffer Overflow	Nessus Network Monitor	Internet Messengers	medium
14374	Fedora Core 2 : gaim-0.82-0.FC2 (2004-279)	Nessus	Fedora Local Security Checks	high
14373	Fedora Core 1 : gaim-0.82-0.FC1 (2004-278)	Nessus	Fedora Local Security Checks	high
14330	Mandrake Linux Security Advisory : gaim (MDKSA-2004:081)	Nessus	Mandriva Local Security Checks	high
14264	SUSE-SA:2004:025: gaim	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2004-0500

critical

Tenable Plugins

high

high

high

high

medium

high

high

high

high