CVE-2016-2851
published 2016-04-07CVE-2016-2851: Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application…
PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
25.40%
97.7th percentile
Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cypherpunks | libotr | <= 4.1.0 | — |
| cypherpunks | libotr | >= 0 < 4.1.1-1 | 4.1.1-1 |
| cypherpunks | libotr | >= 0 < 4.1.1-1 | 4.1.1-1 |
| cypherpunks | libotr | >= 0 < 4.1.1-1 | 4.1.1-1 |
| cypherpunks | libotr | >= 0 < 4.1.1-1 | 4.1.1-1 |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libotr | < libotr 4.1.1-1 (bookworm) | libotr 4.1.1-1 (bookworm) |
| opensuse | leap | — | — |
| opensuse | opensuse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
datalen = 0xFFFFFFFF (pack('I', 0xFFFFFFFF))- →Detect OTR messages with a declared datalen field of 0xFFFFFFFF (integer overflow trigger) in proto.c read_int path ↗
- →Monitor for a large number of OTR message fragments sent in sequence to a single recipient — the PoC sends ~5.7 GB worth of fragments to trigger the heap overflow ↗
- →Detect OTR DATA messages (type OTRL_MSGSTATE_DATA / OTRL_MSGSTATE_ENCRYPTED) arriving over XMPP/Jabber with abnormally large base64-encoded payloads ↗
- →Flag OTR fragment storms: a single conversation receiving hundreds or thousands of ?OTR,k,n,... fragments where n is extremely large ↗
- →The vulnerability is only exploitable on 64-bit platforms running libotr 4.1.0 and below; triage alerts accordingly ↗
- ·The integer overflow occurs because datalen is read into an 'unsigned int' (32-bit) while the surrounding length checks use size_t (64-bit), so the overflow only manifests on 64-bit architectures ↗
- ·No authentication or user interaction is required; the attacker only needs an established OTR session with the victim ↗
- ·The PoC exploit requires sending approximately 5.7 GB of fragmented OTR data, which may be rate-limited or blocked by transport-layer controls before reaching the vulnerable code path ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OTR vulnerability
vendor_ubuntu·2016-03-10
CVE-2016-2851 OTR vulnerability
Title: OTR vulnerability
Summary: OTR could be made to crash or run programs if it received specially crafted
network traffic.
Markus Vervier discovered that OTR incorrectly handled large incoming
messages. A remote attacker could use this issue to cause OTR to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Instructions: After a standard system update you need to restart OTR applications to
make all the necessary changes
Debian
CVE-2016-2851: libotr - Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows re...
vendor_debian·2016·CVSS 9.8
CVE-2016-2851 [CRITICAL] CVE-2016-2851: libotr - Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows re...
Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.
Scope: local
bookworm: resolved (fixed in 4.1.1-1)
bullseye: resolved (fixed in 4.1.1-1)
forky: resolved (fixed in 4.1.1-1)
sid: resolved (fixed in 4.1.1-1)
trixie: resolved (fixed in 4.1.1-1)
GHSA
GHSA-p3jg-fm9x-hc9c: Integer overflow in proto
ghsa_unreviewed·2022-05-14
CVE-2016-2851 [CRITICAL] CWE-119 GHSA-p3jg-fm9x-hc9c: Integer overflow in proto
Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.
OSV
CVE-2016-2851: Integer overflow in proto
osv·2016-04-07·CVSS 9.8
CVE-2016-2851 [CRITICAL] CVE-2016-2851: Integer overflow in proto
Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.
No detection rules found.
Bugzilla
CVE-2016-2851 libotr: Integer overflow when receiving messages bigger than 4GB
bugzilla·2016-03-09·CVSS 9.8
CVE-2016-2851 [CRITICAL] CVE-2016-2851 libotr: Integer overflow when receiving messages bigger than 4GB
CVE-2016-2851 libotr: Integer overflow when receiving messages bigger than 4GB
Integer overflow vulnerability occurs when comparing int and size_t variable types triggered by receiving messages larger than 4GB. This can cause buffer overflow that could lead to code execution.
Product bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1315247
Discussion:
This is now public:
https://lists.cypherpunks.ca/pipermail/otr-users/2016-March/002581.html
---
Created libotr tracking bugs for this issue:
Affects: fedora-all [bug 1316261]
Affects: epel-all [bug 1316263]
---
Created libotr3 tracking bugs for this issue:
Affects: fedora-all [bug 1316262]
Affects: epel-all [bug 1316264]
---
External references:
http://seclists.org/oss-sec/2016/q1/568
---
This CVE Bugzilla entry is for commun
Bugzilla
CVE-2016-2851 libotr: Integer overflow when receiving messages bigger than 4GB [fedora-all]
bugzilla·2016-03-09·CVSS 9.8
CVE-2016-2851 [CRITICAL] CVE-2016-2851 libotr: Integer overflow when receiving messages bigger than 4GB [fedora-all]
CVE-2016-2851 libotr: Integer overflow when receiving messages bigger than 4GB [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
Bugzilla
CVE-2016-2851 libotr3: libotr: Integer overflow when receiving messages bigger than 4GB [fedora-all]
bugzilla·2016-03-09·CVSS 9.8
CVE-2016-2851 [CRITICAL] CVE-2016-2851 libotr3: libotr: Integer overflow when receiving messages bigger than 4GB [fedora-all]
CVE-2016-2851 libotr3: libotr: Integer overflow when receiving messages bigger than 4GB [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2016-2851 libotr: Integer overflow when receiving messages bigger than 4GB [epel-all]
bugzilla·2016-03-09·CVSS 9.8
CVE-2016-2851 [CRITICAL] CVE-2016-2851 libotr: Integer overflow when receiving messages bigger than 4GB [epel-all]
CVE-2016-2851 libotr: Integer overflow when receiving messages bigger than 4GB [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppo
Bugzilla
CVE-2016-2851 libotr3: libotr: Integer overflow when receiving messages bigger than 4GB [epel-all]
bugzilla·2016-03-09·CVSS 9.8
CVE-2016-2851 [CRITICAL] CVE-2016-2851 libotr3: libotr: Integer overflow when receiving messages bigger than 4GB [epel-all]
CVE-2016-2851 libotr3: libotr: Integer overflow when receiving messages bigger than 4GB [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00030.htmlhttp://seclists.org/fulldisclosure/2016/Mar/21http://www.debian.org/security/2016/dsa-3512http://www.securityfocus.com/archive/1/537745/100/0/threadedhttp://www.securityfocus.com/bid/84285http://www.ubuntu.com/usn/USN-2926-1https://lists.cypherpunks.ca/pipermail/otr-users/2016-March/002581.htmlhttps://security.gentoo.org/glsa/201701-10https://www.exploit-db.com/exploits/39550/https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00030.htmlhttp://seclists.org/fulldisclosure/2016/Mar/21http://www.debian.org/security/2016/dsa-3512http://www.securityfocus.com/archive/1/537745/100/0/threadedhttp://www.securityfocus.com/bid/84285http://www.ubuntu.com/usn/USN-2926-1https://lists.cypherpunks.ca/pipermail/otr-users/2016-March/002581.htmlhttps://security.gentoo.org/glsa/201701-10https://www.exploit-db.com/exploits/39550/https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/
2016-04-07
Published