Security Experts:

"Libotr" Library Flaw Exposes Popular IM Apps

A researcher at security firm X41 D-Sec uncovered a serious vulnerability in the “libotr” library that can be exploited for denial-of-service (DoS) attacks and remote code execution.

Libotr is the most commonly used implementation of the off-the-record (OTR) cryptographic protocol. The library protects communications in popular instant messaging applications such as Pidgin, Adium and ChatSecure.

X41’s Markus Vervier analyzed the library and discovered that a remote attacker could execute arbitrary code by sending large messages that trigger a heap buffer overflow in libotr.

According to Vervier, the vulnerability can be exploited against default configurations of libotr without any special user interaction or authorization being required.

An attacker can exploit the flaw by sending a 5.5 Gb message to the victim. While this might seem difficult to accomplish, experts say it can be done due to the fact that libotr can assemble fragmented OTR messages.

“By sending 275 messages of size 20MB each, X41 was able to make libotr process such a data message successfully on a system with 8GB of ram and 15GB of swap space,” X41 explained in its advisory. “Sending such a message to a pidgin client took only a few minutes on a fast network connection without visible signs of any attack to a user.”

A proof-of-concept designed to crash the OTR plugin in Pidgin on x86_64 Linux systems has been made available by X41.

“The crash occurs due to the overwrite hitting unmapped memory. Using techniques such as heap grooming, X41 was able to inflate the heap to more than 4GB and overwrite function pointers and arguments on the heap in order to take over control flow. A working exploit will not be published at this time,” the security firm noted in its advisory.

The vulnerability, which affects the 64-bit version of libotr 4.1.0 and earlier, was reported to the OTR development team on February 17, and a patch was made available in early March with the release of libotr 4.1.1. No workarounds are available.

The developers of various Linux distributions, including Ubuntu, SUSE and Debian, have already released updates to address the issue.

Libotr is not the only popular library found to be affected by a remote code execution vulnerability. Last month, researchers disclosed the existence of a serious flaw in the GNU C Library (glibc), which is used in GNU and Linux systems.

view counter