Vulnerability Development mailing list archives
RE: Trillian Messaging Software
From: "Ben Floyd" <dataplex17 () hotmail com>
Date: Thu, 06 Jun 2002 15:11:55 -0500
From: "Don Weber" <Don () AirLink com>
...
we use it here primarily for the ability it provides in secure >messages over icq and one of the others it supports, as far as >security, it does i blv, store passwords and the like in the registry >and other text files, here's an old post i just found again related to >trillion. but I'd think personally, if someone can get to this, your >already in trouble
I brought this up with the developer of trillian several months ago because I did some testing of the client when it first came out. I was informed that security was only a temporary fix and that eventually everything is broken, so it is not worth wasting development time on. On machines with multiple users (win2k, XP), trillian does not do any file protection (USERS group is allowed read\execute access to the default directory).
The encryption scheme used is very simple to crack. It uses static tables defined in the program to generate the passwords based on length. i.e., passwords that are between 1-5 characters (if I remember correctly) use 1 table, 6-15 characters uses another, and anything over that uses a third table. To crack it, you can sipmly compare passwords of various lengths to the previous password that was used, and in this manner recreate the table used in under 20 minutes.
Another issue that I found was that when accessing a hotmail account from trillian, the password is passed to the server in cleartext. If anyone wants a users hotmail password, they only have to wait for the user to access their account and run a browser cache recovery tool.
After the hostile meeting with the developer I determined that Trillian was not worth my time or the risk associated with using it. If the local security is that weak, I only wonder what the "encrypted chat" algorithms look like.
Trillian has a system that creates .ini files for connecting to therespective messenger services such as MSN,Yahoo,IRC,etc...which it >stores in the users' directory.For example-the settings of a >particular user are stored in his default user's directory.For >connecting to MSN there is a file called msn.ini.For Yahoo...there is >yahoo.ini.And so on...These files include the details of that user >such as his email id to connect to that service,his contact >list,display options,and all that stuff.But one thing that seems particularly interesting is that...it stores the password to the service in an elementary encrypted format. Trillian does not forbid access to any user's .ini files in any manner. That leaves a huge security hole in the whole system.Anybody can just copy and paste the "Profile" of the person to his own msn.ini file and gain full access to the victim's respective service.Also the masked password appears in the connection manager field which can be easily unmasked using a password revealer like Cain.Thus revealing the password of that person.So all you need to do is just gain access to the victim's .ini files in the Trillian>>Users>>Victim folder and the work is done. The .ini file looks like this...... for example.....for msn service
... -dpx ======================= http://www.dataplex.org Email: dpx () dataplex org ======================= _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
Current thread:
- Trillian Messaging Software rogue (Jun 05)
- Re: Trillian Messaging Software Rob Shein (Jun 05)
- RE: Trillian Messaging Software Richard M. Conlan (Jun 05)
- Re: Trillian Messaging Software Martin Lesser (Jun 05)
- RE: Trillian Messaging Software Don Weber (Jun 05)
- Re: Trillian Messaging Software rogue (Jun 06)
- <Possible follow-ups>
- RE: Trillian Messaging Software Mike Theriault (Jun 05)
- RE: Trillian Messaging Software Ben Floyd (Jun 06)
- Re: Trillian Messaging Software Rob Shein (Jun 05)