Researcher Markus Vervier of Germany’s X41 D-SEC GmbH recently found that the libotr library — a cryptographic protocol used by instant messaging apps such as Pidgin, ChatSecure, Adium and others — can be remotely exploited.

Off-the-record (OTR) protocols got a bit of a boost when it was revealed that they could not be decrypted by federal agencies, according to X41. But the news that the protocol could be cracked remotely is enough to take the wind out of some of the OTR’s sails.

SecurityWeek reports, “The vulnerability can be exploited against default configurations of libotr without any special user interaction or authorization being required.”

Libotr Now Patched

Those behind distribution of libotr are releasing a patch that fixes the flaw.

“Versions 4.1.0 and earlier of libotr in 64-bit builds contain an integer overflow security flaw,” the OTR Development Team wrote. “This flaw could potentially be exploited by a remote attacker to cause a heap buffer overflow and subsequently for arbitrary code to be executed on the user’s machine.”

The team advises users to upgrade to version 4.1.1 as soon as possible.

How the Exploit Works

Deciphering why libotr broke is as complicated in execution as any of these software faults are. One aspect triggers another fault in a module, and the root cause of it all can get muddled. The researchers provided a nice summary of the mechanisms that led to this flaw, although they did use highly technical terms.

“The vulnerability is triggered if a value of 0xFFFFFFFF (MAX_UINT) is read from the message buffer. As datalen is of size 32-bit (unsigned int), the operation ‘datalen+1’ will wrap around before being passed to malloc,” the X41 researchers stated.

“This will effectively result in a zero allocation ( malloc(0) ), which is valid in common implementations of malloc on the x86_64 architecture. As no addition is done in the value passed to the call to memmove, 4 gigabytes of data are copied out of bounds to the heap location pointed to by data.”

So a particular 5.5 GB long message sent to the llibotr can trigger the vulnerability. It then messes with 4 GB of the program memory, and it’s all malloc’s fault because it gives a zero allocation when the message forces a variable to be greater than an unsigned integer can legally be.

Distributed denial-of-service (DDoS) attacks could be performed as a result of this fault. A proof of concept designed to crash the OTR plugin in Pidgin on x86_64 Linux systems was released by X41. There seem to be no workaround.

Ubuntu, SUSE and Debian have all upated their distros to refect the new libotr. Updating to the latest version quickly remains the safest and easiest way to stay secure.