Debian Bug report logs - #487222
tmsnc: CVE-2008-2828 remote buffer overflow in UBX parsing

version graph

Package: tmsnc; Maintainer for tmsnc is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Fri, 20 Jun 2008 10:54:04 UTC

Severity: grave

Tags: patch, security

Fixed in version tmsnc/0.3.2-1.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Miriam Ruiz <little_miry@yahoo.es>:
Bug#487222; Package tmsnc. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Miriam Ruiz <little_miry@yahoo.es>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tmsnc: remote stack based buffer overflow in UBX parsing code
Date: Fri, 20 Jun 2008 12:51:52 +0200
Package: tmsnc
Severity: grave
Tags: security
Justification: user security hole

Hi,
quoting http://msnpiki.msnfanatic.com/index.php/Command:UBX:
"UBX is the sister command to UUX. UUX is used to set your personal·
message, UBX is sent by the server to all principles to inform them of·
the change (where B means Buddy). The format is similar to UUX; they are·
payload commands where the first parameter is the passport address of·
the contact who has just changed their personal message or currently·
playing song, and the second parameter is the length of the payload.

Syntax:
 >>> UBX passport@hotmail.com xxx\r\n
 <Data><PSM>My Personal Message</PSM><CurrentMedia></CurrentMedia></Data>

as far as I can see this is sent by the original msn client but clients·
like pidgin and tmsnc do not support sending this information but·
receiving it.

Let's have a look at the code for parsing such a message in tmsnc...
>From core_net.c:
    727 int
    728 MSN_server_handle(session, message, message_len)
    729      MSN_session *session;
    730      char *message;
    731      int message_len;
    732 {
    733     time_t tm;
    734     char buf[512], md_hex[48];
    ...
    748     while (getline(buf, sizeof(buf) - 1, session->sd) > 0) {
    ...
    833         } else if (strncmp(buf, "UBX", 3) == 0) {
    834             /*
    835              * we read the payload of this command·
    836              */
    837             /*
    838              * but do not do anything with it······
    839              */
    840             if ((ptr[1] = (char *)split(buf, ' ', 1)) == NULL ||        //by gfhuang
    841                 (ptr[0] = (char *)split(buf, ' ', 2)) == NULL) {
    842                 strncpy(message, "Couldn't parse UBX", message_len - 1);
    843                 return -1;
    844             }
    845             i = atoi(ptr[0]);
    846             free(ptr[0]);
    847·
    848             if (read(session->sd, buf, i) != i) {
    849                 strncpy(message, "Couldn't read UBX payload",
    850                         message_len - 1);
    851                 return -1;
    852             }
    853             // parsing PSM, by gfhuang
    854             if(0 == i) buf[0] = 0;      //important, by gfhuang, when i=0, buf is untouched!

In line 734 the message buffer is declared to store 512 bytes of data.
Line 748 reads a command line coming from a buddy contact.
Line 833 and the following are used if the message buffer contains an UBX message like:
UBX passport@hotmail.com xxx\r\n where xxx is the length of the UBX payload.

Here is the actual bug. If the first 3 bytes of the buffer match to UBX and the string
contains two spaces which are passed to ptr[1] and ptr[0] this is a valid UBX message.

The split function comes from core_misc.c and does basically the same like the strchr
function, returning a pointer to the first occurance of the string passed as second parameter.
So after the call in line 841 ptr[0] will point to the message length.
This value is then converted to an integer using atoi in line 845 and passed to read in line 848.
This will then read the UBX payload from the MSN "packet" through the session socket.

So if the UBX payload length is declared to be more than sizeof(buffer) or the payload is longer
than sizeof(buffer) this results in a stack-based buffer overflow and possibly in arbitrary code
execution.

The code also uses atoi quite a lot without checking for negative values resulting in integer
conversion issues but I guess that those values are correct is ensured by the MSN server itself.

This looks related to #487046.
I already contacted the upstream author because of this.

Kind regards
Nico




Information forwarded to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>:
Bug#487222; Package tmsnc. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>. Full text and rfc822 format available.

Message #10 received at 487222@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 487222@bugs.debian.org, 487046@bugs.debian.org
Subject: patch
Date: Fri, 20 Jun 2008 18:37:27 +0200
[Message part 1 (text/plain, inline)]
tags 487046 + patch
tags 487222 + patch
thanks

Hi,
the attached patch should fix this issue.
The submitter of #487046 told me in a PM that this patch 
also fixes the segfault for him.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[core_net.c.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Fri, 20 Jun 2008 16:42:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>:
Bug#487222; Package tmsnc. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>. Full text and rfc822 format available.

Message #17 received at 487222@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 487222@bugs.debian.org, 487046@bugs.debian.org
Subject: intent to NMU
Date: Mon, 23 Jun 2008 19:53:42 +0200
[Message part 1 (text/plain, inline)]
Hi,
I intent to NMU this bug with the permission of Miriam 
because her hardware is currently broken.

debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/tmsnc-0.3.2-1_0.3.2-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[tmsnc-0.3.2-1_0.3.2-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 487222-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 487222-close@bugs.debian.org
Subject: Bug#487222: fixed in tmsnc 0.3.2-1.1
Date: Mon, 23 Jun 2008 18:17:07 +0000
Source: tmsnc
Source-Version: 0.3.2-1.1

We believe that the bug you reported is fixed in the latest version of
tmsnc, which is due to be installed in the Debian FTP archive:

tmsnc_0.3.2-1.1.diff.gz
  to pool/main/t/tmsnc/tmsnc_0.3.2-1.1.diff.gz
tmsnc_0.3.2-1.1.dsc
  to pool/main/t/tmsnc/tmsnc_0.3.2-1.1.dsc
tmsnc_0.3.2-1.1_amd64.deb
  to pool/main/t/tmsnc/tmsnc_0.3.2-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 487222@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated tmsnc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 23 Jun 2008 19:24:31 +0200
Source: tmsnc
Binary: tmsnc
Architecture: source amd64
Version: 0.3.2-1.1
Distribution: unstable
Urgency: high
Maintainer: Miriam Ruiz <little_miry@yahoo.es>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 tmsnc      - textbased (console) MSN client
Closes: 487046 487222
Changes: 
 tmsnc (0.3.2-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix stack-based buffer overflow in UBX handling
     (No CVE id yet; Closes: #487222, #487046).
Checksums-Sha1: 
 751ee4435057045d81cd7e2b353bd313ebfe5dc9 978 tmsnc_0.3.2-1.1.dsc
 8c9952a310edfac8da42dc532dfd7d9f3daa653a 3658 tmsnc_0.3.2-1.1.diff.gz
 41fef53746fd2818e5963a745d4aa18bc32626e1 52512 tmsnc_0.3.2-1.1_amd64.deb
Checksums-Sha256: 
 22f115348d24b9db74300a86bb91c02b83e77f33d98b27a91a0dd85babca9322 978 tmsnc_0.3.2-1.1.dsc
 e986e499e0f9064a5a5d78ad4335311bce838e8b5c139d388dee9031a30ae97a 3658 tmsnc_0.3.2-1.1.diff.gz
 7644a1792707d746928849bea10578f86cda89edaafa97276b5a75e0cfc9ce05 52512 tmsnc_0.3.2-1.1_amd64.deb
Files: 
 9b769d90fa4a1359d06a2e5a857dfc67 978 net optional tmsnc_0.3.2-1.1.dsc
 91181fec20ccfe0f1c4aeb94b56835fd 3658 net optional tmsnc_0.3.2-1.1.diff.gz
 fc1ceccbe6446632f48009f31ae61133 52512 net optional tmsnc_0.3.2-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhf5BYACgkQHYflSXNkfP8DTwCfTfzUS/g3jy1QhkypNr8jL28Y
Py4AoIwf2rLMWkhPwUSW/xJeKIRqZ+z3
=1qAj
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>:
Bug#487222; Package tmsnc. Full text and rfc822 format available.

Acknowledgement sent to little_miry@yahoo.es:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>. Full text and rfc822 format available.

Message #27 received at 487222@bugs.debian.org (full text, mbox):

From: Miriam Ruiz <little_miry@yahoo.es>
To: 487222@bugs.debian.org, 487046@bugs.debian.org
Subject: Re: Bug#487222: intent to NMU
Date: Mon, 23 Jun 2008 18:53:44 +0000 (GMT)
--- El lun, 23/6/08, Nico Golde <nion@debian.org> escribió:

> I intent to NMU this bug with the permission of Miriam 
> because her hardware is currently broken.

Thanks Nico!! :)

Greetings,
Miry



      ______________________________________________ 
Enviado desde Correo Yahoo! La bandeja de entrada más inteligente.




Changed Bug title to `tmsnc: CVE-2008-2828 remote buffer overflow in UBX parsing#' from `tmsnc: remote stack based buffer overflow in UBX parsing code'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 23 Jun 2008 19:21:08 GMT) Full text and rfc822 format available.

Changed Bug title to `tmsnc: CVE-2008-2828 remote buffer overflow in UBX parsing' from `tmsnc: CVE-2008-2828 remote buffer overflow in UBX parsing#'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 23 Jun 2008 19:21:09 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 10 Feb 2009 07:27:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 00:16:06 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.