SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   Trillian Vendors:   Cerulean Studios
Trillian Integer Overflow and Stack Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1009220
SecurityTracker URL:  http://securitytracker.com/id/1009220
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 26 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Trillian 0.71-0.74 w/ patch f; Trillian Pro 1.0, 2.0, 2.01
Description:   Two buffer overflow vulnerabilities were reported in Trillian. A remote user can execute arbitrary code on the target user's system.

Stefan Esser of e-matters GmbH reported that Trillian is vulnerable to flaws recently discovered in the GAIM sourcecode.

A remote user can reportedly send a specially crafted DirectIM packet to trigger an integer overflow to execute arbitrary code.

It is also reported that a remote user can send a specially crafted Yahoo! Messenger packet with an oversied keyname to trigger a stack overflow and execute arbitrary code.

The report indicates that this second vulnerability can no longer be exploited via Yahoo! servers, but can be exploited via a man-in-the-middle attack.

The vendor was reportedly notified on February 18, 2004.

The original advisory is available at:

http://security.e-matters.de/advisories/022004.html

Impact:   A remote user can execute arbitrary code on the target user's system with the privileges of the target user.
Solution:   The vendor has released a patch (0.74 Patch G), available at:

http://www.trillian.cc

Vendor URL:  www.trillian.cc/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Advisory 02/2004: Trillian remote overflows


                           e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: Trillian remote overflows
 Release Date: 2004/02/24
Last Modified: 2004/02/24
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: Trillian 0.71-0.74 w/ patch f
               Trillian Pro 1.0, 2.0, 2.01
     Severity: 2 vulnerabilities were found in the instant 
               messenger Trillian that allow remote compromise
         Risk: Critical
Vendor Status: Vendor has fixed and released patches
    Reference: http://security.e-matters.de/advisories/022004.html


Overview:

   Quote from http://www.trillian.cc
   
   "What is Trillian?
   
    Trillian is a skinnable, interoperable instant messaging client. 
    Grab the best IM client available on the Internet today! 
    Trillian .74 is completely free, with no spyware and no ads. 
    Over 10 million downloads can't be wrong!"
    
   While playing around with the recently found Gaim vulnerabilities
   it was discovered that two of them also affect Trillian and allow
   remote compromise.
   
      
Details:
   
   While testing the developed exploits against other instant
   messaging clients it was discovered that Trillian as one of the
   most popular 3rd party instant client for the windows operating
   system is indeed vulnerable to the bugs discovered in the GAIM
   sourcecode
   
   The bugs in question are
   
   [01 - AIM/Oscar DirectIM Integer Overflow]
   
   When Trillian receives a DirectIM packet with a size above 8kb
   it spawns a thread to receive the complete packet. This thread
   allocates a buffer for the incoming packet and one extra byte.
   This procedure suffers from an integer overflow when the size
   is UINT_MAX and will only allocate a buffer of minimum size
   in that case. This buffer is then filled with multiple calls to
   recv() which will result in an arbitrary size heap overflow.

   [02 - Yahoo Packet Parser Overflow]
   
   A Yahoo Messenger packet consist of a header and a list of keys
   with their associated values. When reading an oversized keyname
   a standard stackoverflow can be triggered. 
   
   The code below is part of Trillian since version 0.71 which was
   released on the 18th december 2001. It was manually decompiled.
   The variable names were taken from the GAIM source code. If you
   compare the decompiled code with the code in yahoo.c (revision
   1.12 from 15th nov 2001) you will realise that it is more or
   less identical. It is up to the reader to find an explanation
   how this GPL licensed codesnippet ended up in Trillian.
   
   
      int pos = 0;

      while (pos + 1 < len) {

         char key[64], *value = NULL;
         int x = 0, accept;

         struct yahoo *YAHOO = malloc(12);

	 while (pos + 1 < len) {
            if (data[pos] == 0xc0 && data[pos + 1] == 0x80)
               break;
            key[x++] = data[pos++];
         }
         key[x] = 0;
         pos += 2;
         YAHOO->key = atoi(key);
         accept = x;
	
         if (accept) {
            value = malloc(len - pos + 1);
         }

         while (pos + 1 < len) {
            if (data[pos] == 0xc0 && data[pos + 1] == 0x80)
               break;
            if (accept) {
               value[x++] = data[pos++];
            }
         }

         if (accept) {
            value[x] = 0;
         }
         pos += 2;
         if (accept) {
            YAHOO->value = strdup(value);
            free(value);
         }

         return YAHOO;

      }
   
   Finally it has to be mentioned, that it is no longer possible
   to exploit the second vulnerability through the Yahoo! servers.
   It is not known what and why Yahoo! has changed, but they
   do not longer transport unknown keys. We were only able to 
   exploit the vulnerability with man in the middle attacks. 
   This can be considered good news because this will make it
   impossible to write a widespread worm.
   
   Although Trillian Pro is compiled with the Visual Studio 
   stackoverflow protection it is possible to exploit this 
   vulnerability by simply overflowing up to the stack top and
   abusing the power of structured exception handlers.
   

Proof of Concept:

   e-matters is not going to release an exploit for any of these 
   vulnerabilities to the public. 
  

Disclosure Timeline:

   18. February 2004 - Cerulean Studios were contacted over their
                       forum and a mail was sent to the domain
                       owner because mails to security@trillian.org
                       simply bounce back and there is no other way
                       to contact them
   19. February 2004 - Cerulean Studios acknowledged the mail
   20. February 2004 - Cerulean Studios gave us the patches to test
                       Patches were verified and we were notified
                       that they plan to release them on Monday
   23. February 2004 - Nothing happened...
   24. February 2004 - Cerulean Studios have released the patched
                       versions


Recommendation:

   As usual it is recommend to download the update from the Trillian
   homepage at
   
   http://www.trillian.cc
   
   We are not aware of any public exploit for these vulnerabilities,
   but anyone who has developed an exploit for the GAIM vulnerabilities
   could change it easily to work against Trillian, too.
   
   
GPG-Key:

   http://security.e-matters.de/gpg_key.asc
    
   pub  1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
   Key fingerprint = 43DD 843C FAB9 832A E5AB  CAEB 81F2 8110 75E7 AAD6


Copyright 2004 Stefan Esser. All rights reserved.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC