Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Miriam Ruiz <little_miry@yahoo.es>: Bug#487222; Package tmsnc.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Miriam Ruiz <little_miry@yahoo.es>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tmsnc: remote stack based buffer overflow in UBX parsing code
Date: Fri, 20 Jun 2008 12:51:52 +0200
Package: tmsnc
Severity: grave
Tags: security
Justification: user security hole
Hi,
quoting http://msnpiki.msnfanatic.com/index.php/Command:UBX:
"UBX is the sister command to UUX. UUX is used to set your personal·
message, UBX is sent by the server to all principles to inform them of·
the change (where B means Buddy). The format is similar to UUX; they are·
payload commands where the first parameter is the passport address of·
the contact who has just changed their personal message or currently·
playing song, and the second parameter is the length of the payload.
Syntax:
>>> UBX passport@hotmail.com xxx\r\n
<Data><PSM>My Personal Message</PSM><CurrentMedia></CurrentMedia></Data>
as far as I can see this is sent by the original msn client but clients·
like pidgin and tmsnc do not support sending this information but·
receiving it.
Let's have a look at the code for parsing such a message in tmsnc...
>From core_net.c:
727 int
728 MSN_server_handle(session, message, message_len)
729 MSN_session *session;
730 char *message;
731 int message_len;
732 {
733 time_t tm;
734 char buf[512], md_hex[48];
...
748 while (getline(buf, sizeof(buf) - 1, session->sd) > 0) {
...
833 } else if (strncmp(buf, "UBX", 3) == 0) {
834 /*
835 * we read the payload of this command·
836 */
837 /*
838 * but do not do anything with it······
839 */
840 if ((ptr[1] = (char *)split(buf, ' ', 1)) == NULL || //by gfhuang
841 (ptr[0] = (char *)split(buf, ' ', 2)) == NULL) {
842 strncpy(message, "Couldn't parse UBX", message_len - 1);
843 return -1;
844 }
845 i = atoi(ptr[0]);
846 free(ptr[0]);
847·
848 if (read(session->sd, buf, i) != i) {
849 strncpy(message, "Couldn't read UBX payload",
850 message_len - 1);
851 return -1;
852 }
853 // parsing PSM, by gfhuang
854 if(0 == i) buf[0] = 0; //important, by gfhuang, when i=0, buf is untouched!
In line 734 the message buffer is declared to store 512 bytes of data.
Line 748 reads a command line coming from a buddy contact.
Line 833 and the following are used if the message buffer contains an UBX message like:
UBX passport@hotmail.com xxx\r\n where xxx is the length of the UBX payload.
Here is the actual bug. If the first 3 bytes of the buffer match to UBX and the string
contains two spaces which are passed to ptr[1] and ptr[0] this is a valid UBX message.
The split function comes from core_misc.c and does basically the same like the strchr
function, returning a pointer to the first occurance of the string passed as second parameter.
So after the call in line 841 ptr[0] will point to the message length.
This value is then converted to an integer using atoi in line 845 and passed to read in line 848.
This will then read the UBX payload from the MSN "packet" through the session socket.
So if the UBX payload length is declared to be more than sizeof(buffer) or the payload is longer
than sizeof(buffer) this results in a stack-based buffer overflow and possibly in arbitrary code
execution.
The code also uses atoi quite a lot without checking for negative values resulting in integer
conversion issues but I guess that those values are correct is ensured by the MSN server itself.
This looks related to #487046.
I already contacted the upstream author because of this.
Kind regards
Nico
Information forwarded to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#487222; Package tmsnc.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(full text, mbox, link).
tags 487046 + patch
tags 487222 + patch
thanks
Hi,
the attached patch should fix this issue.
The submitter of #487046 told me in a PM that this patch
also fixes the segfault for him.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Fri, 20 Jun 2008 16:42:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#487222; Package tmsnc.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(full text, mbox, link).
Hi,
I intent to NMU this bug with the permission of Miriam
because her hardware is currently broken.
debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/tmsnc-0.3.2-1_0.3.2-1.1.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Source: tmsnc
Source-Version: 0.3.2-1.1
We believe that the bug you reported is fixed in the latest version of
tmsnc, which is due to be installed in the Debian FTP archive:
tmsnc_0.3.2-1.1.diff.gz
to pool/main/t/tmsnc/tmsnc_0.3.2-1.1.diff.gz
tmsnc_0.3.2-1.1.dsc
to pool/main/t/tmsnc/tmsnc_0.3.2-1.1.dsc
tmsnc_0.3.2-1.1_amd64.deb
to pool/main/t/tmsnc/tmsnc_0.3.2-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 487222@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated tmsnc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 23 Jun 2008 19:24:31 +0200
Source: tmsnc
Binary: tmsnc
Architecture: source amd64
Version: 0.3.2-1.1
Distribution: unstable
Urgency: high
Maintainer: Miriam Ruiz <little_miry@yahoo.es>
Changed-By: Nico Golde <nion@debian.org>
Description:
tmsnc - textbased (console) MSN client
Closes: 487046487222
Changes:
tmsnc (0.3.2-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix stack-based buffer overflow in UBX handling
(No CVE id yet; Closes: #487222, #487046).
Checksums-Sha1:
751ee4435057045d81cd7e2b353bd313ebfe5dc9 978 tmsnc_0.3.2-1.1.dsc
8c9952a310edfac8da42dc532dfd7d9f3daa653a 3658 tmsnc_0.3.2-1.1.diff.gz
41fef53746fd2818e5963a745d4aa18bc32626e1 52512 tmsnc_0.3.2-1.1_amd64.deb
Checksums-Sha256:
22f115348d24b9db74300a86bb91c02b83e77f33d98b27a91a0dd85babca9322 978 tmsnc_0.3.2-1.1.dsc
e986e499e0f9064a5a5d78ad4335311bce838e8b5c139d388dee9031a30ae97a 3658 tmsnc_0.3.2-1.1.diff.gz
7644a1792707d746928849bea10578f86cda89edaafa97276b5a75e0cfc9ce05 52512 tmsnc_0.3.2-1.1_amd64.deb
Files:
9b769d90fa4a1359d06a2e5a857dfc67 978 net optional tmsnc_0.3.2-1.1.dsc
91181fec20ccfe0f1c4aeb94b56835fd 3658 net optional tmsnc_0.3.2-1.1.diff.gz
fc1ceccbe6446632f48009f31ae61133 52512 net optional tmsnc_0.3.2-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhf5BYACgkQHYflSXNkfP8DTwCfTfzUS/g3jy1QhkypNr8jL28Y
Py4AoIwf2rLMWkhPwUSW/xJeKIRqZ+z3
=1qAj
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#487222; Package tmsnc.
(full text, mbox, link).
Acknowledgement sent to little_miry@yahoo.es:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(full text, mbox, link).
To: 487222@bugs.debian.org, 487046@bugs.debian.org
Subject: Re: Bug#487222: intent to NMU
Date: Mon, 23 Jun 2008 18:53:44 +0000 (GMT)
--- El lun, 23/6/08, Nico Golde <nion@debian.org> escribió:
> I intent to NMU this bug with the permission of Miriam
> because her hardware is currently broken.
Thanks Nico!! :)
Greetings,
Miry
______________________________________________
Enviado desde Correo Yahoo! La bandeja de entrada más inteligente.
Changed Bug title to `tmsnc: CVE-2008-2828 remote buffer overflow in UBX parsing#' from `tmsnc: remote stack based buffer overflow in UBX parsing code'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 23 Jun 2008 19:21:08 GMT) (full text, mbox, link).
Changed Bug title to `tmsnc: CVE-2008-2828 remote buffer overflow in UBX parsing' from `tmsnc: CVE-2008-2828 remote buffer overflow in UBX parsing#'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 23 Jun 2008 19:21:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 10 Feb 2009 07:27:46 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.