SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Instant Messaging/IRC/Chat)  >  Trillian Vendors:  Cerulean Studios
Trillian Chat Client Can Be Crashed By Remote Users Sending Special Characters Via AIM Service
SecurityTracker Alert ID:  1005292
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 26 2002
Impact:  Denial of service via network
Exploit Included:  Yes  
Version(s): .74
Description:  Another denial of service vulnerability was reported in the Trillian chat client. A remote user can send specially crafted text sequences via the AOL Instant Messenger (AIM) service to cause the Trillian client to crash.

ComputerSecurityNow reported that a remote user can trigger an exception in trillian.exe (TALK.DLL) by sending a message via AIM with the one of the following strings in the message:

P > O < C
3 > 3 < 3
computer > security < now

[Editor's note: Some users have reported being unable to reproduce this flaw.]
Impact:  A remote user can cause the client to crash.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.ceruleanstudios.com/ (Links to External Site)
Cause:  Exception handling error
Underlying OS:  Windows (Any)
Reported By:  Spikeman <spikeman@computersecuritynow.com>
Message History:   None.

 Source Message Contents
Date:  Mon, 23 Sep 2002 06:53:26 -0500 (CDT)
From:  Spikeman <spikeman@computersecuritynow.com>
Subject:  Trillian Remote DoS Attack - AIM

 

Advisory Url:
http://www.computersecuritynow.com/modules.php?op=modload&name=News&file=article&sid=817&
mode=thread&order=0&thold=0

########################################################
# ComputerSecurityNow Advisory               Sep 23 2002
# Trillian Remote DoS Attack - AIM
 
# Spikeman - spikeman at computersecuritynow dot com
# http://www.computersecuritynow.com/
########
 
# Thanks to Mith(www.derisive.net) for debugging dump 
# logs and being a test subject.
 

Background on Trillian
Trillian allows you to Connect to ICQ, AIM, MSN Messenger, 
Yahoo! Messenger and IRC in a single application.


Vulnerable Applications
Trillian .73 and .74 were tested unknown of 1.0 pro
or any earlier versions. Tested on Win98/ME/2k/NT 4
While using AOL AIM services. 
Tested MSN Messenger and it is unaffected.
Tested ICQ and it is unaffected.


Impact
Trillian crashes and you have to restart. Bonus is if you
keep crashing the person, AIM services will ban them for
login flooding (Timed Ban).


Dumps when Trillian crashes.

1]
The instruction at "0x022160df" referenced memory at "0x2228aa2c". The 
memory
could not be "read". 

2]
Unhandled exception in trillian.exe (TALK.DLL): 0xC0000005: Access 
Violation. 

3]
022160DF   mov         ecx,dword ptr [ebx+edx]

4]
TRILLIAN caused an invalid page fault in 
module TALK.DLL at 0167:017660df. 
Registers: 
EAX=017a0078 CS=0167 EIP=017660df EFLGS=00010216 
EBX=1fffffff SS=016f ESP=006a9580 EBP=006a95a0 
ECX=017a11dc DS=016f ESI=00000008 FS=2a3f 
EDX=018f01dd ES=016f EDI=31000001 GS=2a67 
Bytes at CS:EIP: 
8b 0c 13 f6 c1 01 89 4d f8 75 7f c1 f9 04 6a 3f  
Stack dump: 
018f1af2 018f01e1 00000066 bff7b99f 017a11dc 1fffffff 01765f71 31000001
018f1ac0 01762783 018a000c 018f01e1 018f01e1 0172e142 018f01e1 018f0210 



#########################
# Offending Data String #
#########################
Send a AOL IM to someone with this string anywhere in the message
(the spaces must be there)

P > O < C

And it will cause the application to crash. Other data strings do work IE
ee > 3e < 3dsaf 
3 > 3 < 3
computer > security < now

##############
# Extra Data #
##############
This is a remote DoS only, sending from Trillian will not
crash the local client.

I have found out that not all data strings work such as
e > e < i
will send through and post
e > e

Could this be an html parsing issue?

i (italic) b (bold) and u (underline) all do the same as above but
of you add another > everything after word will be the tag given.

String sent
test > test < i > everything comes in italics
String came through
test > test  everything comes in italics
-------------^ italics starts here.



-- 

     ___
    /\  \ Freedom is the right to grow, is the right to blossom,
   /::\  \
  /:/\:\  \
 _\:\~\:\  \ 
/\ \:\ \:\__\                Spikeman
\:\ \:\ \/__/        http://www.spikeman.net
 \:\ \:\__\       http://www.computersecuritynow.com
  \:\/:/  /  
   \::/  / Freedom is the right to be yourself, to be who you
    \/__/ are, to be who you wanna be, to do what you wanna do.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC