• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Gadu-Gadu Multiple Remote Vulnerabilities

Severity: HIGH

Description:

Multiple remote vulnerabilities reportedly affect Gadu-Gadu instant messenger. It supports the DCC (Direct Client Connection) protocol, facilitating the transfer of files and messages between users.

The first issue reported is an HTML injection vulnerability in the message sending functionality. Apparently it is possible to embed a malicious HTML link in a message that, when the message is viewed in the viewer, will execute embedded script code. Any script code execution will take place within the LOCAL ZONE.

The second issue is a remote code execution issue. Apparently the affected application supports a feature that allows a remote user to send a specially crafted network message that triggers code execution on an included arbitrary DLL (dynamically linked library) file. This takes place without notification to or confirmation from the affected user. This would allow an attacker to send a specially crafted message along with a malicious DLL file and have it executed in the context of the unsuspecting user running the vulnerable application.

The third issue is a directory traversal issue that can be exploited to upload or download files using the DCC protocol into or from arbitrary directories on the affected computer. Apparently the application filters all '.' and '/' characters from file requests, however it fails to filter the encoded versions of the same characters. This allows an attacker to upload or download files into or from arbitrary directories that are readable by the affected application.

The fourth issue reported is a stack-based buffer overflow in the application when sending images. Reportedly this can be triggered when the affected application attempts to send a file with a specially crafted file name. An attacker may leverage this issue to execute arbitrary code in the context of the vulnerable application.

The fifth and sixth issues reported are heap-based buffer overflow vulnerabilities that are triggered when the affected application downloads image files. It is likely that one of these issues is the same as, or related to BID 11158 (Gadu-Gadu Image Send Feature Remote Heap Overflow Vulnerability).

Few details are available on the first heap overflow issue, however the second heap overflow is due to a failure of the application to properly validate image sizes. Apparently the application will base the size of an image on the size reported in the network data. If the image exceeds this size and attacker may be able to write past the dynamically allocated buffer boundary, triggering the heap overflow condition.

The seventh issue is a policy bypass issue that will allow an attacker that is in the contact list of an unsuspecting user to ignore certain policy restrictions. Apparently an attacker can send small images to an unsuspecting user even if the unsuspecting user has specified that no images should be received from the attacker in the associated contact list entry. This may allow an attacker to exploit the above outlined overflow vulnerabilities, potentially leading to a false sense of security.

The final issue may allow an attacker to write to the disk of a computer with the privileges of the affected application. Apparently, when transferring files using the DCC protocol functionality, the affected application relies on the user-supplied data size to copy data onto a local disk. An attacker may leverage an integer overflow in the affected functionality to manipulate the amount of data uploaded. This may allow an attacker to upload files larger than their reported size with arbitrary data. This may be exploited to consume disk space as an unsuspecting user will not be able to verify the size of uploaded files.

These issues may be exploited to steal potentially sensitive information, execute arbitrary code with the privileges of the affected user, and execute arbitrary script code in the context of an unsuspecting user's browser. Successful exploitation may lead to authentication credential theft and unauthorized access.

Affected Products:

• Gadu-Gadu Instant Messenger 6.0.0
• Gadu-Gadu Instant Messenger 6.0.0build 149
• Gadu-Gadu Instant Messenger 6.0.0build 150
• Gadu-Gadu Instant Messenger 6.0.0build 151
• Gadu-Gadu Instant Messenger 6.0.0build 152
• Gadu-Gadu Instant Messenger 6.0.0build 153
• Gadu-Gadu Instant Messenger 6.0.0build 154

References:

• Gadu-Gadu: Vendor Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.