Vulnerabilities > CVE-2004-0785 - Multiple vulnerability in Gaim
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple buffer overflows in Gaim before 0.82 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) Rich Text Format (RTF) messages, (2) a long hostname for the local system as obtained from DNS, or (3) a long URL that is not properly handled by the URL decoder.
Vulnerable Configurations
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_4260EACB26B811D99289000C41E2CDAD.NASL description Sean infamous42md reports several situations in gaim that may result in exploitable buffer overflows : - Rich Text Format (RTF) messages in Novell GroupWise protocol - Unsafe use of gethostbyname in zephyr protocol - URLs which are over 2048 bytes long once decoded last seen 2020-06-01 modified 2020-06-02 plugin id 18918 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18918 title FreeBSD : gaim -- multiple buffer overflows (4260eacb-26b8-11d9-9289-000c41e2cdad) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(18918); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:36"); script_cve_id("CVE-2004-0785"); script_name(english:"FreeBSD : gaim -- multiple buffer overflows (4260eacb-26b8-11d9-9289-000c41e2cdad)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Sean infamous42md reports several situations in gaim that may result in exploitable buffer overflows : - Rich Text Format (RTF) messages in Novell GroupWise protocol - Unsafe use of gethostbyname in zephyr protocol - URLs which are over 2048 bytes long once decoded" ); # http://gaim.sourceforge.net/security/?id=3 script_set_attribute( attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=3" ); # http://gaim.sourceforge.net/security/?id=4 script_set_attribute( attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=4" ); # http://gaim.sourceforge.net/security/?id=5 script_set_attribute( attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=5" ); # https://vuxml.freebsd.org/freebsd/4260eacb-26b8-11d9-9289-000c41e2cdad.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6d7f7486" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:gaim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:gaim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ja-gaim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ko-gaim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ru-gaim"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/26"); script_set_attribute(attribute:"patch_publication_date", value:"2004/10/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"gaim<0.82")) flag++; if (pkg_test(save_report:TRUE, pkg:"ja-gaim<0.82")) flag++; if (pkg_test(save_report:TRUE, pkg:"ko-gaim<0.82")) flag++; if (pkg_test(save_report:TRUE, pkg:"ru-gaim<0.82")) flag++; if (pkg_test(save_report:TRUE, pkg:"gaim>20030000")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2004-278.NASL description 0.82 update contains many bug and security improvements. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14373 published 2004-08-26 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14373 title Fedora Core 1 : gaim-0.82-0.FC1 (2004-278) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-278. # include("compat.inc"); if (description) { script_id(14373); script_version ("1.21"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0500", "CVE-2004-0754", "CVE-2004-0784", "CVE-2004-0785", "CVE-2004-2589"); script_xref(name:"FEDORA", value:"2004-278"); script_name(english:"Fedora Core 1 : gaim-0.82-0.FC1 (2004-278)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "0.82 update contains many bug and security improvements. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-August/000270.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ddb24056" ); script_set_attribute( attribute:"solution", value:"Update the affected gaim and / or gaim-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gaim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gaim-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC1", reference:"gaim-0.82-0.FC1")) flag++; if (rpm_check(release:"FC1", reference:"gaim-debuginfo-0.82-0.FC1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gaim / gaim-debuginfo"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-400.NASL description An updated gaim package that fixes several security issues is now available. Gaim is an instant messenger client that can handle multiple protocols. Buffer overflow bugs were found in the Gaim MSN protocol handler. In order to exploit these bugs, an attacker would have to perform a man in the middle attack between the MSN server and the vulnerable Gaim client. Such an attack could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0500 to this issue. Buffer overflow bugs have been found in the Gaim URL decoder, local hostname resolver, and the RTF message parser. It is possible that a remote attacker could send carefully crafted data to a vulnerable client and lead to a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0785 to this issue. A shell escape bug has been found in the Gaim smiley theme file installation. When a user installs a smiley theme, which is contained within a tar file, the unarchiving of the data is done in an unsafe manner. An attacker could create a malicious smiley theme that would execute arbitrary commands if the theme was installed by the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0784 to this issue. An integer overflow bug has been found in the Gaim Groupware message receiver. It is possible that if a user connects to a malicious server, an attacker could send carefully crafted data which could lead to arbitrary code execution on the victims machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0754 to this issue. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 0.82 and is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14696 published 2004-09-09 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14696 title RHEL 3 : gaim (RHSA-2004:400) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200408-27.NASL description The remote host is affected by the vulnerability described in GLSA-200408-27 (Gaim: New vulnerabilities) Gaim fails to do proper bounds checking when: Handling MSN messages (partially fixed with GLSA 200408-12). Handling rich text format messages. Resolving local hostname. Receiving long URLs. Handling groupware messages. Allocating memory for webpages with fake content-length header. Furthermore Gaim fails to escape filenames when using drag and drop installation of smiley themes. Impact : These vulnerabilities could allow an attacker to crash Gaim or execute arbitrary code or commands with the permissions of the user running Gaim. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of Gaim. last seen 2020-06-01 modified 2020-06-02 plugin id 14583 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14583 title GLSA-200408-27 : Gaim: New vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-110.NASL description More vulnerabilities have been discovered in the gaim instant messenger client. The vulnerabilities pertinent to version 0.75, which is the version shipped with Mandrakelinux 10.0, are: installing smiley themes could allow remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector. There is also a buffer overflow in the way gaim handles receiving very long URLs. The provided packages have been patched to fix these problems. These issues, amongst others, have been fixed upstream in version 0.82. last seen 2020-06-01 modified 2020-06-02 plugin id 15546 published 2004-10-22 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15546 title Mandrake Linux Security Advisory : gaim (MDKSA-2004:110) NASL family Fedora Local Security Checks NASL id FEDORA_2004-279.NASL description 0.82 update contains many bug and security improvements. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14374 published 2004-08-26 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14374 title Fedora Core 2 : gaim-0.82-0.FC2 (2004-279)
Oval
| accepted | 2013-04-29T04:09:53.975-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | Multiple buffer overflows in Gaim before 0.82 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) Rich Text Format (RTF) messages, (2) a long hostname for the local system as obtained from DNS, or (3) a long URL that is not properly handled by the URL decoder. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:10907 | ||||||||
| status | accepted | ||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||
| title | Multiple buffer overflows in Gaim before 0.82 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) Rich Text Format (RTF) messages, (2) a long hostname for the local system as obtained from DNS, or (3) a long URL that is not properly handled by the URL decoder. | ||||||||
| version | 26 |
Redhat
| advisories |
|
References
- http://gaim.sourceforge.net/security/?id=3
- http://gaim.sourceforge.net/security/?id=4
- http://gaim.sourceforge.net/security/?id=5
- http://secunia.com/advisories/12383
- http://secunia.com/advisories/12480
- http://secunia.com/advisories/12929
- http://secunia.com/advisories/13101
- http://securitytracker.com/id?1011083
- http://www.fedoranews.org/updates/FEDORA-2004-278.shtml
- http://www.fedoranews.org/updates/FEDORA-2004-279.shtml
- http://www.gentoo.org/security/en/glsa/glsa-200408-27.xml
- http://www.osvdb.org/9261
- http://www.osvdb.org/9262
- http://www.osvdb.org/9263
- http://www.redhat.com/support/errata/RHSA-2004-400.html
- http://www.securityfocus.com/bid/11056
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17141
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17142
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17143
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10907