Jump to content

uTox 0.18.1 Multiple 0day Vulnerabilities


Recommended Posts

uTox through 0.18.1 doesn't validate incoming file name, allowing remote attacker to overwrite arbitrary file on victim's machine.
Remote attacker may overwrite ~/.bashrc or ~/.profile as well, causing remote code execution.
To exploit this vulnerability, modified uTox client may be used.
Just set name and name_length variables in file_transfers.c, in ft_send_file(), before tox_file_send(), and send an evil shell script. For example:
name = "/home/krobelus/.bashrc";
name_length = strlen(name);
Second vulnerability exists only if uTox is in portable mode, with --portable parameter.
void native_autoselect_dir_ft(uint32_t fid, FILE_TRANSFER *file)
uint8_t *path = malloc(file->name_length + 1);
if (settings.portable_mode) {
snprintf((char *)path, UTOX_FILE_NAME_LENGTH, "./tox/Tox_Auto_Accept/");
snprintf((char *)path, UTOX_FILE_NAME_LENGTH, "./tox/Tox_Auto_Accept/%.*s", (int)file->name_length, file->name);
Here file->name_length is less than UTOX_FILE_NAME_LENGTH, so any incoming file transfer will cause remote heap overflow, denial of service and, possibly, remote code execution.
Automatic file acceptance must be turned on to exploit these two vulnerabilities, but due to uTox peculiarities, this option is on among the majority of users already.
These peculiarities are that uTox users have only a few seconds to confirm file receiving, thus receiving a few files one by one quickly turns into hell.

Debug builds are not vulnerable to heap overflow, because AddressSanitizer is used.

Vulnerabilities reported to cve.org, but no entries were created hitherto.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...