Advisory: Trillian remote overflows Release Date: 2004/02/24 Last Modified: 2004/02/24 Author: Stefan Esser [s.esser@e-matters.de]
Application: Trillian 0.71-0.74 w/ patch f Trillian Pro 1.0, 2.0, 2.01 Severity: 2 vulnerabilities were found in the instant messenger Trillian that allow remote compromise Risk: Critical Vendor Status: Vendor has fixed and released patches Reference: hxxp://security.e-matters.de/advisories/022004.html
Overview:
Quote from hxxp://www.trillian.cc
"What is Trillian?
Trillian is a skinnable, interoperable instant messaging client. Grab the best IM client available on the Internet today! Trillian .74 is completely free, with no spyware and no ads. Over 10 million downloads can't be wrong!"
While playing around with the recently found Gaim vulnerabilities it was discovered that two of them also affect Trillian and allow remote compromise.
Details:
While testing the developed exploits against other instant messaging clients it was discovered that Trillian as one of the most popular 3rd party instant client for the windows operating system is indeed vulnerable to the bugs discovered in the GAIM sourcecode
The bugs in question are
[01 - AIM/Oscar DirectIM Integer Overflow]
When Trillian receives a DirectIM packet with a size above 8kb it spawns a thread to receive the complete packet. This thread allocates a buffer for the incoming packet and one extra byte. This procedure suffers from an integer overflow when the size is UINT_MAX and will only allocate a buffer of minimum size in that case. This buffer is then filled with multiple calls to recv() which will result in an arbitrary size heap overflow.
[02 - Yahoo Packet Parser Overflow]
A Yahoo Messenger packet consist of a header and a list of keys with their associated values. When reading an oversized keyname a standard stackoverflow can be triggered.
The code below is part of Trillian since version 0.71 which was released on the 18th december 2001. It was manually decompiled. The variable names were taken from the GAIM source code. If you compare the decompiled code with the code in yahoo.c (revision 1.12 from 15th nov 2001) you will realise that it is more or less identical. It is up to the reader to find an explanation how this GPL licensed codesnippet ended up in Trillian.
while (pos + 1 < len) { if (data[pos] == 0xc0 && data[pos + 1] == 0x80) break; if (accept) { value[x++] = data[pos++]; } }
if (accept) { value[x] = 0; } pos += 2; if (accept) { YAHOO->value = strdup(value); free(value); }
return YAHOO;
}
Finally it has to be mentioned, that it is no longer possible to exploit the second vulnerability through the Yahoo! servers. It is not known what and why Yahoo! has changed, but they do not longer transport unknown keys. We were only able to exploit the vulnerability with man in the middle attacks. This can be considered good news because this will make it impossible to write a widespread worm.
Although Trillian Pro is compiled with the Visual Studio stackoverflow protection it is possible to exploit this vulnerability by simply overflowing up to the stack top and abusing the power of structured exception handlers.
Proof of Concept:
e-matters is not going to release an exploit for any of these vulnerabilities to the public.
Disclosure Timeline:
18. February 2004 - Cerulean Studios were contacted over their forum and a mail was sent to the domain owner because mails to security@trillian.org simply bounce back and there is no other way to contact them 19. February 2004 - Cerulean Studios acknowledged the mail 20. February 2004 - Cerulean Studios gave us the patches to test Patches were verified and we were notified that they plan to release them on Monday 23. February 2004 - Nothing happened... 24. February 2004 - Cerulean Studios have released the patched versions
Recommendation:
As usual it is recommend to download the update from the Trillian homepage at
hxxp://www.trillian.cc
We are not aware of any public exploit for these vulnerabilities, but anyone who has developed an exploit for the GAIM vulnerabilities could change it easily to work against Trillian, too.
