Re: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but...

[Scott Taylor <security () 303underground com>]

> From gaim's own news... so of course there will be some similarities in
parts of their yahoo code.

 September 28th, 2003 -
9:53PM EDT
0.70   




Our friends over at Cerulean Studios
managed to break my speed record at
cracking Yahoo authentication
schemes with an impressive feat of
hackery. They sent it over and here
it is in Gaim 0.70. However, certain
details of the authentication scheme
depend on the challenge string the
server sends us, and there's really
no way to tell what it does until
Yahoo starts sending new challenge
strings. So you can expect a few
more breakages to come soon. I
wouldn't sign offline if I were you.
Peep the ChangeLog.

On Tue, 2004-02-24 at 14:23, Tobias Weisserth wrote:
> >    [02 - Yahoo Packet Parser Overflow]
> >    
> >    A Yahoo Messenger packet consist of a header and a list of keys
> >    with their associated values. When reading an oversized keyname
> >    a standard stackoverflow can be triggered. 
> >    
> >    The code below is part of Trillian since version 0.71 which was
> >    released on the 18th december 2001. It was manually decompiled.
> >    The variable names were taken from the GAIM source code. If you
> >    compare the decompiled code with the code in yahoo.c (revision
> >    1.12 from 15th nov 2001) you will realise that it is more or
> >    less identical. It is up to the reader to find an explanation
> >    how this GPL licensed codesnippet ended up in Trillian.
>
> AHA! Got you. This must be pretty embarrassing for Trillian. Is someone
> from the GAIM team reading this list?
--
Scott Taylor - <security () 303underground com> 

Laetrile is the pits.

    

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html