A vulnerability in “libotr,” the C code implementation of the Off-the-Record (OTR) protocol that is used in many secure instant messengers such as ChatSecure, Pidgin, Adium and Kopete, could be exploited by attackers to crash an app using libotr or execute remote code on the user’s machine.
“An attacker could execute his own code inside the instant messaging application. He could hack the victims computer using this or alternatively just steal the encryption keys and the chat logs from the messenger,” Markus Vervier, managing director of German app sec testing firm X41 D-SEC and discoverer of the vulnerability told Help Net Security.
The memory corruption vulnerability (CVE-2016-2851) can be triggered remotely by sending a specially crafted large message. The attacker does not have to be in the victim’s contact list in order to perform the attack, and no special user interaction or authorization is necessary to trigger the flaw in default configurations.
The bug is present in libotr versions 4.1.0 and below. Its developers – the OTR Development Team – have already plugged in the newly issued libotr v4.1.1.
ChatSecure has released an update of its app with the fix, and so has Adium with v188.8.131.52 of the app.
The good news is that there is no indication that the bug is being currently exploited in the wild. But, with details about the flaw and a PoC released in the company’s security advisory, it’s only be a matter of time until others come up with a working exploit.
“Interestingly enough, the bug was noticed last year by known security researchers Dan Kaminsky, Thomas H. Ptacek and others but was mistakenly disregarded,” Vervier told us.