Black Lantern Security (BLSOPS)

Share this post

CVE-2023-3433 & CVE-2023-3434 - Jami Local Denial Of Service and Passing Strings to QRC URL Vulnerabilities

blog.blacklanternsecurity.com
Vulnerability Research

CVE-2023-3433 & CVE-2023-3434 - Jami Local Denial Of Service and Passing Strings to QRC URL Vulnerabilities

Public Disclosure of 2 Vulnerabilities found within GNU Jami (Multiple Versions)

Mason Corkern
Jul 14, 2023
Share this post

CVE-2023-3433 & CVE-2023-3434 - Jami Local Denial Of Service and Passing Strings to QRC URL Vulnerabilities

blog.blacklanternsecurity.com
Share

Savoir-faire Linux’s Jami is a free, open source, peer-to-peer and end-to-end encrypted instant messaging software. Black Lantern Security (BLS) researchers have found 2 vulnerabilities in the Windows client which allows local Denial of Service (DoS) and passing strings to QRC URLs in Windows.

CVE-2023-3433 - Local Denial of Service through Forced Deadlock

BLS researchers determined that the “nickname” field within the user profile management section of the application was not fully sanitizing input. By inserting <foo> into the nickname field, the application was forced to try and resolve the special characters but had no path to move forward resulting in a deadlock. This deadlock effectively resulted in a local DoS for the application. As long as these special characters were in the “nickname” field, no messages could be sent or received by the user.

Thanks for reading Black Lantern Security (BLSOPS)! Subscribe for free to receive new posts and support my work.

Patch: https://review.jami.net/c/jami-daemon/+/23575

CVE-2023-3434: Passing Strings to QRC URLs

BLS researchers identified that when users send messages using custom HTML Anchor tags, the string within the HTML gets passed to Windows to handle as a QRC URL. This can result in specially-crafted messages being passed to unsuspecting users, believing they’ve received a traditional hyperlink; but in reality, an attacker can pass string values to an unexpected QRC URL for Windows to execute.

Sending the following message:

<a href="maliciousQRCcomponent" id="fuzzelement1">test</a>

Creates a standard hyperlink message:

However, by clicking the link, Windows attempts to open:

qrc:/components/maliciousQRCcomponent

Patch: https://review.jami.net/c/jami-client-qt/+/23569

Both of these vulnerabilities are patched in the latest Windows Beta and live client.


Disclosure Timeline

2023-01-04 Contacted Savoir-Faire Linux/Jami team
2023-01-04 Patches were created
2023-01-05: Patches were Merged
2023-01-05: Patched in Beta
2023-01-05: Initial Response from Savoir-Faire Linux
2023-01-15: Received Response Re-Confirming Patch
2023-03-07: Received Permission from Savoir-Faire Linux to Write a Blog Post and Seek CVEs
2023-04-06: Confirmed Patch in Live Build
2023-07-14: Public Disclosure

Thanks for reading Black Lantern Security (BLSOPS)! Subscribe for free to receive new posts and support my work.

Share this post

CVE-2023-3433 & CVE-2023-3434 - Jami Local Denial Of Service and Passing Strings to QRC URL Vulnerabilities

blog.blacklanternsecurity.com
Share
Comments
Top
New
Community

No posts

Ready for more?

© 2023 Black Lantern Security (BLSOPS)
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing