Skip to main content

Severe Remote Memory Corruption Vulnerability in libotr / Off-the-Record Messaging (OTR) Discovered

posted onMarch 10, 2016
by l33tdawg

Off-the-Record (OTR) Messaging is a cryptographic protocol used in well-known instant messaging clients such as Pidgin, ChatSecure, Adium and others. It is designed to work on top of existing protocols and used worldwide to provide secure communication in insecure environments. OTR is regarded as highly secure and according to documents revealed by Edward Snowden one of the protocols that the NSA is not able to decrypt via cryptanalysis. The most commonly used implementation of OTR is "libotr" which is a pure C code implementation of the OTR protocol.

A remote attacker may crash or execute arbitrary code in libotr by sending large OTR messages. While processing specially crafted messages, attacker controlled data on the heap is written out of bounds. No special user interaction or authorization is necessary in default configurations.


Recent News

Tuesday, November 14th

Sunday, November 12th

Friday, November 10th

Wednesday, November 8th

Monday, November 6th