[NT] Trillian Remote Buffer Overflows (DirectIM, Parser)
From: SecuriTeam (support_at_securiteam.com)
Date: 02/26/04
- Previous message: SecuriTeam: "[NT] Ghost Recon DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 26 Feb 2004 11:15:06 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Trillian Remote Buffer Overflows (DirectIM, Parser)
------------------------------------------------------------------------
SUMMARY
<http://www.ceruleanstudios.com/> Trillian is a skinnable, interoperable
instant messaging client. Grab the best IM client available on the
Internet today! Trillian .74 is completely free, with no spyware and no
ads. Over 10 million downloads can't be wrong!"
While playing around with the recently found Gaim vulnerabilities it was
discovered that two of them also affect Trillian and allow remote
compromise.
DETAILS
Vulnerable Systems:
* Trillian versions 0.71-0.74 w/ patch F
* Trillian Pro versions 1.0, 2.0, 2.01
Immune Systems:
* Trillian versions with patch G
While testing the developed exploits against other instant messaging
clients it was discovered that Trillian as one of the most popular 3rd
party instant client for the windows operating system is indeed vulnerable
to the bugs discovered in the GAIM sourcecode
The bugs in question are:
AIM/Oscar DirectIM Integer Overflow
When Trillian receives a DirectIM packet with a size above 8kb it spawns a
thread to receive the complete packet. This thread allocates a buffer for
the incoming packet and one extra byte. This procedure suffers from an
integer overflow when the size is UINT_MAX and will only allocate a buffer
of minimum size in that case. This buffer is then filled with multiple
calls to recv() which will result in an arbitrary size heap overflow.
Yahoo Packet Parser Overflow
A Yahoo Messenger packet consist of a header and a list of keys with their
associated values. When reading an oversized keyname a standard
stackoverflow can be triggered.
The code below is part of Trillian since version 0.71 which was released
on the 18th december 2001. It was manually decompiled. The variable names
were taken from the GAIM source code. If you compare the decompiled code
with the code in yahoo.c (revision 1.12 from 15th nov 2001) you will
realize that it is more or less identical. It is up to the reader to find
an explanation how this GPL licensed codesnippet ended up in Trillian.
int pos = 0;
while (pos + 1 < len) {
char key[64], *value = NULL;
int x = 0, accept;
struct yahoo *YAHOO = malloc(12);
while (pos + 1 < len) {
if (data[pos] == 0xc0 && data[pos + 1] == 0x80)
break;
key[x++] = data[pos++];
}
key[x] = 0;
pos += 2;
YAHOO->key = atoi(key);
accept = x;
if (accept) {
value = malloc(len - pos + 1);
}
while (pos + 1 < len) {
if (data[pos] == 0xc0 && data[pos + 1] == 0x80)
break;
if (accept) {
value[x++] = data[pos++];
}
}
if (accept) {
value[x] = 0;
}
pos += 2;
if (accept) {
YAHOO->value = strdup(value);
free(value);
}
return YAHOO;
}
Finally it has to be mentioned, that it is no longer possible to exploit
the second vulnerability through the Yahoo! servers. It is not known what
and why Yahoo! has changed, but they do not longer transport unknown keys.
We were only able to exploit the vulnerability with man in the middle
attacks. This can be considered good news because this will make it
impossible to write a widespread worm.
Although Trillian Pro is compiled with the Visual Studio stackoverflow
protection it is possible to exploit this vulnerability by simply
overflowing up to the stack top and abusing the power of structured
exception handlers.
Solution:
Cerulean Studios has released patch G to solve these issues.
Disclosure Timeline:
18 February 2004 - Cerulean Studios were contacted over their forum and a
mail was sent to the domain owner because mails to security@trillian.cc
simply bounce back and there is no other way to contact them
19 February 2004 - Cerulean Studios acknowledged the mail
20 February 2004 - Cerulean Studios gave us the patches to test Patches
were verified and we were notified that they plan to release them on
Monday
23 February 2004 - Nothing happened...
24 February 2004 - Cerulean Studios have released the patched versions
ADDITIONAL INFORMATION
The information has been provided by <mailto:s.esser@e-matters.de> Stefan
Esser.
The original article can be found at:
<http://security.e-matters.de/advisories/022004.html>
http://security.e-matters.de/advisories/022004.html.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Ghost Recon DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- iDefense Security Advisory 06.18.07: Cerulean Studios Trillian UTF-8 Word Wrap Heap Overflow Vul
... Cerulean Studios Trillian UTF-8 Word Wrap Heap Overflow Vulnerability ... Remote
exploitation of a heap overflow vulnerability in Cerulean Studios ... iDefense
has confirmed the existence of this vulnerability in Cerulean ... (Bugtraq) - [Full-disclosure] iDefense Security Advisory 06.18.07: Cerulean Studios Trillian UTF-8 Word
... Cerulean Studios Trillian UTF-8 Word Wrap Heap Overflow Vulnerability ... Remote
exploitation of a heap overflow vulnerability in Cerulean Studios ... iDefense
has confirmed the existence of this vulnerability in Cerulean ... (Full-Disclosure) - [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability
in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by
default. ... permissions and thus granted all local users the privilege to execute the
... (Securiteam) - [UNIX] SCO Multiple Local Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer
overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges.
... (Securiteam) - [NT] Microsoft Word 6.0/95 Document Converter Buffer Overflow (MS04-041)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... WordPad is "a word processing
application that uses the MFC rich edit ... Remote exploitation of a buffer overflow vulnerability
in Microsoft ... Microsoft Word format files into the Rich Text Format natively handled
by ... (Securiteam)
