Full Disclosure mailing list archives
Re: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but...
From: Tobias Weisserth <tobias () weisserth de>
Date: Tue, 24 Feb 2004 22:23:11 +0100
Hi everybody, Am Di, den 24.02.2004 schrieb Stefan Esser um 19:52:
... "What is Trillian? Trillian is a skinnable, interoperable instant messaging client. Grab the best IM client available on the Internet today! Trillian .74 is completely free, with no spyware and no ads. Over 10 million downloads can't be wrong!"
"Completely free". Aha. Where is the source code and a suitable license to modify and share modifications? "No spyware". Aha. How can we know without the source? Well, I guess we have to take their word.
While playing around with the recently found Gaim vulnerabilities it was discovered that two of them also affect Trillian and allow remote compromise.
Is this a coincidence?
Details: While testing the developed exploits against other instant messaging clients it was discovered that Trillian as one of the most popular 3rd party instant client for the windows operating system is indeed vulnerable to the bugs discovered in the GAIM sourcecode
Know I wonder if this is indeed a coincidence. I'm not too familiar with the protocols involved and the way code is written to utilise them, but doesn't the fact that the GAIM exploits work without modification on Trillian imply that Trillian maybe is using the parts of the same code as GAIM? Just a stupid question. But I really don't know. Please enlighten me.
The bugs in question are [01 - AIM/Oscar DirectIM Integer Overflow] When Trillian receives a DirectIM packet with a size above 8kb it spawns a thread to receive the complete packet. This thread allocates a buffer for the incoming packet and one extra byte. This procedure suffers from an integer overflow when the size is UINT_MAX and will only allocate a buffer of minimum size in that case. This buffer is then filled with multiple calls to recv() which will result in an arbitrary size heap overflow. [02 - Yahoo Packet Parser Overflow] A Yahoo Messenger packet consist of a header and a list of keys with their associated values. When reading an oversized keyname a standard stackoverflow can be triggered. The code below is part of Trillian since version 0.71 which was released on the 18th december 2001. It was manually decompiled. The variable names were taken from the GAIM source code. If you compare the decompiled code with the code in yahoo.c (revision 1.12 from 15th nov 2001) you will realise that it is more or less identical. It is up to the reader to find an explanation how this GPL licensed codesnippet ended up in Trillian.
AHA! Got you. This must be pretty embarrassing for Trillian. Is someone from the GAIM team reading this list? [rest snipped] I'd like to know from the Trillian people how they explain this "coincidence". Widespread abuse of GPL software seems to become more and more common. kind regards, Tobias Weissert _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Advisory 02/2004: Trillian remote overflows Stefan Esser (Feb 24)
- Re: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but... Tobias Weisserth (Feb 24)
- Re: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but... Scott Taylor (Feb 24)
- Re: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but... Jeff_Lopes (Feb 24)
- Re: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but... Luke Schierer (Feb 24)
- Re: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but... Tobias Weisserth (Feb 25)
- Re: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but... Stefan Esser (Feb 25)
- Re: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but... Nathan Walp (Feb 25)
- Re: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but... Stefan Esser (Feb 25)
- RE: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but... Aditya, ALD [Aditya Lalit Deshmukh] (Feb 27)
- Re: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but... Tobias Weisserth (Feb 24)