Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

“Libotr” Library Flaw Exposes Popular IM Apps

A researcher at security firm X41 D-Sec uncovered a serious vulnerability in the “libotr” library that can be exploited for denial-of-service (DoS) attacks and remote code execution.

A researcher at security firm X41 D-Sec uncovered a serious vulnerability in the “libotr” library that can be exploited for denial-of-service (DoS) attacks and remote code execution.

Libotr is the most commonly used implementation of the off-the-record (OTR) cryptographic protocol. The library protects communications in popular instant messaging applications such as Pidgin, Adium and ChatSecure.

X41’s Markus Vervier analyzed the library and discovered that a remote attacker could execute arbitrary code by sending large messages that trigger a heap buffer overflow in libotr.

According to Vervier, the vulnerability can be exploited against default configurations of libotr without any special user interaction or authorization being required.

An attacker can exploit the flaw by sending a 5.5 Gb message to the victim. While this might seem difficult to accomplish, experts say it can be done due to the fact that libotr can assemble fragmented OTR messages.

“By sending 275 messages of size 20MB each, X41 was able to make libotr process such a data message successfully on a system with 8GB of ram and 15GB of swap space,” X41 explained in its advisory. “Sending such a message to a pidgin client took only a few minutes on a fast network connection without visible signs of any attack to a user.”

A proof-of-concept designed to crash the OTR plugin in Pidgin on x86_64 Linux systems has been made available by X41.

“The crash occurs due to the overwrite hitting unmapped memory. Using techniques such as heap grooming, X41 was able to inflate the heap to more than 4GB and overwrite function pointers and arguments on the heap in order to take over control flow. A working exploit will not be published at this time,” the security firm noted in its advisory.

Advertisement. Scroll to continue reading.

The vulnerability, which affects the 64-bit version of libotr 4.1.0 and earlier, was reported to the OTR development team on February 17, and a patch was made available in early March with the release of libotr 4.1.1. No workarounds are available.

The developers of various Linux distributions, including Ubuntu, SUSE and Debian, have already released updates to address the issue.

Libotr is not the only popular library found to be affected by a remote code execution vulnerability. Last month, researchers disclosed the existence of a serious flaw in the GNU C Library (glibc), which is used in GNU and Linux systems.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.