Miranda IM

Go Back   Miranda IM - Forums > Development > Plugins
Reload this Page Popup+: remotely exploitable buffer overflow
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Plugins For plugin developers and related discussion

Closed Thread
 
Thread Tools Display Modes

  #1  
Old 18 Apr 2005, 7:02 PM
egodust egodust is offline
BAHHHH!
  
Join Date: April 2005
Posts: 55
Popup+: remotely exploitable buffer overflow
Hey,

As reported on various security lists, popup plus with smiley add support enabled causes a bug which can be used by a remote attacker to run any code of their choice. As the original author (zazoo) has gone AWOL - I've decided to offer a fix for the bug.

You can get 2.0.3.9 from http://files.miranda-im.org/testing/popupplus.zip

And the sources from
http://files.miranda-im.org/testing/popupplussrc.zip

Notes:
1) I've only fixed the buffer problem
2) There might be other bugs still left
3) The plugin is compiled without logging
4) The remotely exploitable code was in the logging code

The problem is in emoticons.cpp:90 - if smiley-add is used a logging feature writes to disk when it finds a word it can't convert into a smiley for various reasons, this fails when that word is bigger than the buffer used to store the formatted logging text:
Code:
logMessage("smileyChunk", "Probably word starts with smiley, can't replace whole one. See details below");
char buf[512];
sprintf(buf, ">>> chunk text: \"%s\" lstrlen = %d", word, lstrlen(word));
logMessage("smileyChunk", buf);
sprintf(buf,">>> S/A reported smiley length: %d", smgi.Smileylength);
logMessage("smileyChunk", buf);
The problem is that 'word' contains a remote string and its just overwritten the return jump address on the stack, Oops!

  #2  
Old 18 Apr 2005, 7:31 PM
PROGAME PROGAME is offline
Miranda Wizard
  
Join Date: March 2005
Location: Israel
Posts: 475
he didn't go AWOL he is simply using a new nick :)

but thanks for the the fixed version!

EDIT:
http://forums.miranda-im.org/showthread.php?t=1070
Last edited by PROGAME; 18 Apr 2005 at 7:35 PM.

  #3  
Old 19 Apr 2005, 12:17 AM
bid bid is offline
Miranda Moderator
  
Join Date: March 2005
Location: Atlanta, GA
Posts: 293
All hail the text smileys!

  #4  
Old 19 Apr 2005, 12:19 AM
Slaktarn Slaktarn is offline
Miranda Master
  
Join Date: March 2005
Location: Seweden
Posts: 626
PopUp+ need support for IeView and IeView Smileys :D

  #5  
Old 26 Apr 2005, 11:37 PM
bid bid is offline
Miranda Moderator
  
Join Date: March 2005
Location: Atlanta, GA
Posts: 293
http://forums.miranda-im.org/showthread.php?t=1727
Closed Thread

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[resolved] Buffer overrun error frozenx Help & Support 7 18 May 2008 7:49 PM
[resolved] buffer overrun detected pythos Help & Support 3 22 Jul 2007 2:53 PM
Buffer overrun detected! marduk Help & Support 1 10 Feb 2007 5:27 PM
Buffer overrun DJOU Help & Support 2 28 Dec 2005 10:53 PM
Integer Overflow in libgadu.c tymmix Protocols 2 27 Jul 2005 2:10 PM



All times are GMT +1. The time now is 2:10 AM.
Mark Forums Read | View Forum Leaders
Contact Us - Miranda IM - Archive - Top


vBulletin skins developed by: eXtremepixels
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.