Trillian patch G released

Discussion in 'other security issues & news' started by JayK, Feb 25, 2004.

Thread Status:
Not open for further replies.
  1. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    http://www.ceruleanstudios.com/news_press/index.php


    Also from Security focus.


    e-matters GmbH
    www.e-matters.de

    -= Security Advisory =-



    Advisory: Trillian remote overflows
    Release Date: 2004/02/24
    Last Modified: 2004/02/24
    Author: Stefan Esser [s esser e-matters de]

    Application: Trillian 0.71-0.74 w/ patch f
    Trillian Pro 1.0, 2.0, 2.01
    Severity: 2 vulnerabilities were found in the instant
    messenger Trillian that allow remote compromise
    Risk: Critical
    Vendor Status: Vendor has fixed and released patches
    Reference: http://security.e-matters.de/advisories/022004.html


    Overview:

    Quote from http://www.trillian.cc

    "What is Trillian?

    Trillian is a skinnable, interoperable instant messaging client.
    Grab the best IM client available on the Internet today!
    Trillian .74 is completely free, with no spyware and no ads.
    Over 10 million downloads can't be wrong!"

    While playing around with the recently found Gaim vulnerabilities
    it was discovered that two of them also affect Trillian and allow
    remote compromise.


    Details:

    While testing the developed exploits against other instant
    messaging clients it was discovered that Trillian as one of the
    most popular 3rd party instant client for the windows operating
    system is indeed vulnerable to the bugs discovered in the GAIM
    sourcecode

    The bugs in question are

    [01 - AIM/Oscar DirectIM Integer Overflow]

    When Trillian receives a DirectIM packet with a size above 8kb
    it spawns a thread to receive the complete packet. This thread
    allocates a buffer for the incoming packet and one extra byte.
    This procedure suffers from an integer overflow when the size
    is UINT_MAX and will only allocate a buffer of minimum size
    in that case. This buffer is then filled with multiple calls to
    recv() which will result in an arbitrary size heap overflow.

    [02 - Yahoo Packet Parser Overflow]

    A Yahoo Messenger packet consist of a header and a list of keys
    with their associated values. When reading an oversized keyname
    a standard stackoverflow can be triggered.

    The code below is part of Trillian since version 0.71 which was
    released on the 18th december 2001. It was manually decompiled.
    The variable names were taken from the GAIM source code. If you
    compare the decompiled code with the code in yahoo.c (revision
    1.12 from 15th nov 2001) you will realise that it is more or
    less identical. It is up to the reader to find an explanation
    how this GPL licensed codesnippet ended up in Trillian.


    int pos = 0;

    while (pos + 1 < len) {

    char key[64], *value = NULL;
    int x = 0, accept;

    struct yahoo *YAHOO = malloc(12);

        while (pos + 1 < len) {
    if (data[pos] == 0xc0 && data[pos + 1] == 0x80)
    break;
    key[x++] = data[pos++];
    }
    key[x] = 0;
    pos += 2;
    YAHOO->key = atoi(key);
    accept = x;
       
    if (accept) {
    value = malloc(len - pos + 1);
    }

    while (pos + 1 < len) {
    if (data[pos] == 0xc0 && data[pos + 1] == 0x80)
    break;
    if (accept) {
    value[x++] = data[pos++];
    }
    }

    if (accept) {
    value[x] = 0;
    }
    pos += 2;
    if (accept) {
    YAHOO->value = strdup(value);
    free(value);
    }

    return YAHOO;

    }

    Finally it has to be mentioned, that it is no longer possible
    to exploit the second vulnerability through the Yahoo! servers.
    It is not known what and why Yahoo! has changed, but they
    do not longer transport unknown keys. We were only able to
    exploit the vulnerability with man in the middle attacks.
    This can be considered good news because this will make it
    impossible to write a widespread worm.

    Although Trillian Pro is compiled with the Visual Studio
    stackoverflow protection it is possible to exploit this
    vulnerability by simply overflowing up to the stack top and
    abusing the power of structured exception handlers.


    Proof of Concept:

    e-matters is not going to release an exploit for any of these
    vulnerabilities to the public.


    Disclosure Timeline:

    18. February 2004 - Cerulean Studios were contacted over their
    forum and a mail was sent to the domain
    owner because mails to security trillian org
    simply bounce back and there is no other way
    to contact them
    19. February 2004 - Cerulean Studios acknowledged the mail
    20. February 2004 - Cerulean Studios gave us the patches to test
    Patches were verified and we were notified
    that they plan to release them on Monday
    23. February 2004 - Nothing happened...
    24. February 2004 - Cerulean Studios have released the patched
    versions


    Recommendation:

    As usual it is recommend to download the update from the Trillian
    homepage at

    http://www.trillian.cc

    We are not aware of any public exploit for these vulnerabilities,
    but anyone who has developed an exploit for the GAIM vulnerabilities
    could change it easily to work against Trillian, too.


    GPG-Key:

    http://security.e-matters.de/gpg_key.asc

    pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
    Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6


    Copyright 2004 Stefan Esser. All rights reserved.
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Just to be on the safe side, make sure you go back and check all your settings in Trillian after you apply that update to make sure everything's still the way you want it. Pete
     
Loading...
Thread Status:
Not open for further replies.