Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



“Libotr” Library Flaw Exposes Popular IM Apps

A researcher at security firm X41 D-Sec uncovered a serious vulnerability in the “libotr” library that can be exploited for denial-of-service (DoS) attacks and remote code execution.

A researcher at security firm X41 D-Sec uncovered a serious vulnerability in the “libotr” library that can be exploited for denial-of-service (DoS) attacks and remote code execution.

Libotr is the most commonly used implementation of the off-the-record (OTR) cryptographic protocol. The library protects communications in popular instant messaging applications such as Pidgin, Adium and ChatSecure.

X41’s Markus Vervier analyzed the library and discovered that a remote attacker could execute arbitrary code by sending large messages that trigger a heap buffer overflow in libotr.

According to Vervier, the vulnerability can be exploited against default configurations of libotr without any special user interaction or authorization being required.

An attacker can exploit the flaw by sending a 5.5 Gb message to the victim. While this might seem difficult to accomplish, experts say it can be done due to the fact that libotr can assemble fragmented OTR messages.

“By sending 275 messages of size 20MB each, X41 was able to make libotr process such a data message successfully on a system with 8GB of ram and 15GB of swap space,” X41 explained in its advisory. “Sending such a message to a pidgin client took only a few minutes on a fast network connection without visible signs of any attack to a user.”

A proof-of-concept designed to crash the OTR plugin in Pidgin on x86_64 Linux systems has been made available by X41.

“The crash occurs due to the overwrite hitting unmapped memory. Using techniques such as heap grooming, X41 was able to inflate the heap to more than 4GB and overwrite function pointers and arguments on the heap in order to take over control flow. A working exploit will not be published at this time,” the security firm noted in its advisory.

The vulnerability, which affects the 64-bit version of libotr 4.1.0 and earlier, was reported to the OTR development team on February 17, and a patch was made available in early March with the release of libotr 4.1.1. No workarounds are available.

The developers of various Linux distributions, including Ubuntu, SUSE and Debian, have already released updates to address the issue.

Libotr is not the only popular library found to be affected by a remote code execution vulnerability. Last month, researchers disclosed the existence of a serious flaw in the GNU C Library (glibc), which is used in GNU and Linux systems.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet