[NEWS] Cerulean Studios Trillian Multiple IRC Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Cerulean Studios Trillian Multiple IRC Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://www.ceruleanstudios.com/learn/> Cerulean Studios Trillian is "a
multi-protocol chat application that supports IRC, ICQ, AIM and MSN
protocols".

Remote exploitation of multiple vulnerabilities in the Internet Relay Chat
(IRC) module of Cerulean Studios' Trillian could allow for the
interception of private conversations or execution of code as the
currently logged on user.

DETAILS

Vulnerable Systems:
* Cerulean Studios Trillian version 3.1.

When handling long CTCP PING messages containing UTF-8 characters, it is
possible to cause the Trillian IRC client to return a malformed response
to the server. This malformed response is truncated and is missing the
terminating newline character. This could allow the next line sent to the
server to be improperly sent to an attacker.

When a user highlights a URL in an IRC message window Trillian copies the
data to an internal buffer. If the URL contains a long string of UTF-8
characters, it is possible to overflow a heap based buffer corrupting
memory in a way that could allow for code execution.

A heap overflow can be triggered remotely when the Trillian IRC module
receives a message that contains a font face HTML tag with the face
attribute set to a long UTF-8 string.

Exploitation of this vulnerability allows remote attackers to intercept
private communications for Trillian IRC users or execute code with the
credentials of the currently logged on user.

In order to exploit the highlighted URL vulnerability, users would have to
highlight the malicious URL.

Vendor Status:
Cerulean Studios has addressed these vulnerabilities within version
3.1.5.0 of Trillian. For more information, visit their blog at the
following URL.
<http://blog.ceruleanstudios.com/> http://blog.ceruleanstudios.com/

Disclosure Timeline:
* 01/24/2007 - Initial vendor notification
* 01/30/2007 - Initial vendor response
* 04/30/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=522>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=522



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages