SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Instant Messaging/IRC/Chat)  >   Trillian Vendors:   Cerulean Studios
Trillian Can By Crashed By Remote Users Sending a Malformed 'TypingUser' Message
SecurityTracker Alert ID:  1007119
SecurityTracker URL:  http://securitytracker.com/id/1007119
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 7 2003
Impact:   Denial of service via network

Version(s): 1.0 Pro, 0.74
Description:   A denial of service vulnerability was reported in Trillian. A remote user can cause the client to crash.

It is reported that a remote user can send a malformed 'TypingUser' message that replaces any of the characters in 'TypingUser' to trigger a crash within msn.dll.
Impact:   A remote user can cause a target user's Trillian client to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.trillian.cc/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Fri, 04 Jul 2003 18:09:55 -0400
Subject:  Trillian Remote DoS


Application:    Trillian
Developer(s):   Cerulean Studios (http://www.trillian.cc)
Scope:          Remote DoS & Possible Exploit
Tested on:      Trillian 1.0 Pro, 0.74 Freeware

It is possible to crash Trillian by sending a corrupt 'TypingUser' message. 
Replacing any of the characters in 'TypingUser' will cause Trillian to 
crash. If more then 10 characters are used, or if the colon is omitted, 
Trillian will not crash. The crash occurs due to a function within msn.dll 
for both Trillian 1 and 0.74. This may be exploitable further.

In order to exploit this condition, no code is necessary- simply hex edit 
a  messenger client, replacing the string 'TypingUser' with any other 
string of the same length (or simply changing a letter or two). However 
this method of exploitation does break Microsoft's EULA/TOS, and you are 
not encouraged to utilize a broken client in this way except in an 
educational context. This 'hack' also prevents other non-trillian Messenger 
clients from detecting when a user is typing.

Crash Summary:

MOV ECX,DWORD PTR DS:[EDX]  ; EDX is uninitialized

The crash looks something like this:

Instruction at 0x####8826 referenced memory at 0x00000000

Sample TCP session to crash Trillian:

MIME-Version: 1.0
Content-Type: text/x-msmsgscontrol
TypingXxxx: attacker@blah.com

Our preliminary tests showed that memory was not manipulable, and thus this 
bug is not exploitable further then DoS. Please make further research 
public if you discover otherwise.




____________________ __ _
~FluRDoInG                        flur@flurnet.org
                             http://www.flurnet.org
KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048
1876 B762 F909 91EB 0C02  C06B 83FF E6C5 8C2C 37C4


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC