ID CVE-2004-0006
Summary Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.
References
Vulnerable Configurations
  • cpe:2.3:a:rob_flynn:gaim:0.75
    cpe:2.3:a:rob_flynn:gaim:0.75
  • cpe:2.3:a:ultramagnetic:ultramagnetic:0.81
    cpe:2.3:a:ultramagnetic:ultramagnetic:0.81
CVSS
Base: 7.5 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_GAIM_076.NASL
    description The following package needs to be updated: gaim
    last seen 2016-09-26
    modified 2004-07-06
    plugin id 12543
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12543
    title FreeBSD : Several remotely exploitable buffer overflows in gaim (52)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-434.NASL
    description Stefan Esser discovered several security related problems in Gaim, a multi-protocol instant messaging client. Not all of them are applicable for the version in Debian stable, but affected the version in the unstable distribution at least. The problems were grouped for the Common Vulnerabilities and Exposures as follows : - CAN-2004-0005 When the Yahoo Messenger handler decodes an octal value for email notification functions two different kinds of overflows can be triggered. When the MIME decoder decoded a quoted printable encoded string for email notification two other different kinds of overflows can be triggered. These problems only affect the version in the unstable distribution. - CAN-2004-0006 When parsing the cookies within the HTTP reply header of a Yahoo web connection a buffer overflow can happen. When parsing the Yahoo Login Webpage the YMSG protocol overflows stack buffers if the web page returns oversized values. When splitting a URL into its parts a stack overflow can be caused. These problems only affect the version in the unstable distribution. When an oversized keyname is read from a Yahoo Messenger packet a stack overflow can be triggered. When Gaim is setup to use an HTTP proxy for connecting to the server a malicious HTTP proxy can exploit it. These problems affect all versions Debian ships. However, the connection to Yahoo doesn't work in the version in Debian stable. - CAN-2004-0007 Internally data is copied between two tokens into a fixed size stack buffer without a size check. This only affects the version of gaim in the unstable distribution. - CAN-2004-0008 When allocating memory for AIM/Oscar DirectIM packets an integer overflow can happen, resulting in a heap overflow. This only affects the version of gaim in the unstable distribution.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15271
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15271
    title Debian DSA-434-1 : gaim - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-033.NASL
    description Updated Gaim packages that fix a number of serious vulnerabilities are now available. Gaim is an instant messenger client that can handle multiple protocols. Stefan Esser audited the Gaim source code and found a number of bugs that have security implications. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. However at least one of the buffer overflows could be exploited by an attacker sending a carefully-constructed malicious message through a server. The issues include : Multiple buffer overflows that affect versions of Gaim 0.75 and earlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol overflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0006 to these issues. A buffer overflow in Gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0007 to this issue. An integer overflow in Gaim 0.74 and earlier, when allocating memory for a directIM packet results in heap overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0008 to this issue. All users of Gaim should upgrade to these erratum packages, which contain backported security patches correcting these issues. Red Hat would like to thank Steffan Esser for finding and reporting these issues and Jacques A. Vidrine for providing initial patches.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12455
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12455
    title RHEL 3 : gaim (RHSA-2004:033)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_6FD024395D7011D880E30020ED76EF5A.NASL
    description Stefan Esser of e-matters found almost a dozen remotely exploitable vulnerabilities in Gaim. From the e-matters advisory : While developing a custom add-on, an integer overflow in the handling of AIM DirectIM packets was revealed that could lead to a remote compromise of the IM client. After disclosing this bug to the vendor, they had to make a hurried release because of a change in the Yahoo connection procedure that rendered GAIM useless. Unfourtunately at the same time a closer look onto the sourcecode revealed 11 more vulnerabilities. The 12 identified problems range from simple standard stack overflows, over heap overflows to an integer overflow that can be abused to cause a heap overflow. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. But the underlying protocols are easy to implement and MIM attacks on ordinary TCP sessions is a fairly simple task. In combination with the latest kernel vulnerabilities or the habit of users to work as root/administrator these bugs can result in remote root compromises.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 37025
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37025
    title FreeBSD : Several remotely exploitable buffer overflows in gaim (6fd02439-5d70-11d8-80e3-0020ed76ef5a)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-045.NASL
    description Updated Gaim packages that fix a pair of security vulnerabilities are now available. Gaim is an instant messenger client that can handle multiple protocols. Stefan Esser audited the Gaim source code and found a number of bugs that have security implications. Many of these bugs do not affect the version of Gaim distributed with version 2.1 of Red Hat Enterprise Linux. A buffer overflow exists in the HTTP Proxy connect code. If Gaim is configured to use an HTTP proxy for connecting to a server, a malicious HTTP proxy could run arbitrary code as the user running Gaim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0006 to this issue. An integer overflow in Gaim 0.74 and earlier, when allocating memory for a directIM packet for AIM/Oscar, results in heap overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0008 to this issue. Users of Gaim should upgrade to these erratum packages, which contain a backported security patch correcting this issue. Red Hat would like to thank Steffan Esser for finding and reporting these issues and Jacques A. Vidrine for providing initial patches.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12459
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12459
    title RHEL 2.1 : gaim (RHSA-2004:045)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-006.NASL
    description A number of vulnerabilities were discovered in the gaim instant messenger program by Steffan Esser, versions 0.75 and earlier. Thanks to Jacques A. Vidrine for providing initial patches. Multiple buffer overflows exist in gaim 0.75 and earlier: When parsing cookies in a Yahoo web connection; YMSG protocol overflows parsing the Yahoo login webpage; a YMSG packet overflow; flaws in the URL parser; and flaws in the HTTP Proxy connect (CAN-2004-006). A buffer overflow in gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers (CAN-2004-007). An integer overflow in gaim 0.74 and earlier, when allocating memory for a directIM packet results in a heap overflow (CVE-2004-0008). Update : The patch used to correct the problem was slightly malformed and could cause an infinite loop and crash with the Yahoo protocol. The new packages have a corrected patch that resolves the problem.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14106
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14106
    title Mandrake Linux Security Advisory : gaim (MDKSA-2004:006-1)
oval via4
  • accepted 2013-04-29T04:03:41.280-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    description Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.
    family unix
    id oval:org.mitre.oval:def:10222
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.
    version 23
  • accepted 2007-04-25T19:52:55.558-04:00
    class vulnerability
    contributors
    • name Jay Beale
      organization Bastille Linux
    • name Thomas R. Jones
      organization Maitreya Security
    description Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.
    family unix
    id oval:org.mitre.oval:def:818
    status accepted
    submitted 2004-03-20T12:00:00.000-04:00
    title Gaim / Ultramagnetic BO Vulnerabilities
    version 34
redhat via4
advisories
  • rhsa
    id RHSA-2004:032
  • rhsa
    id RHSA-2004:033
  • rhsa
    id RHSA-2004:045
refmap via4
bid 9489
bugtraq
  • 20040126 Advisory 01/2004: 12 x Gaim remote overflows
  • 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code
cert-vn
  • VU#297198
  • VU#371382
  • VU#444158
  • VU#503030
  • VU#527142
  • VU#871838
conectiva CLA-2004:813
confirm http://ultramagnetic.sourceforge.net/advisories/001.html
debian DSA-434
fulldisc 20040126 Advisory 01/2004: 12 x Gaim remote overflows
gentoo GLSA-200401-04
mandrake MDKSA-2004:006
misc http://security.e-matters.de/advisories/012004.html
osvdb
  • 3731
  • 3732
sectrack 1008850
sgi
  • 20040201-01-U
  • 20040202-01-U
slackware SSA:2004-026
suse SuSE-SA:2004:004
xf
  • gaim-http-proxy-bo(14947)
  • gaim-login-name-bo(14940)
  • gaim-login-value-bo(14941)
  • gaim-urlparser-bo(14945)
  • gaim-yahoopacketread-keyname-bo(14943)
  • gaim-yahoowebpending-cookie-bo(14939)
Last major update 17-10-2016 - 22:39
Published 03-03-2004 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top