RE: Trillian Messaging Software

["Don Weber" <Don () AirLink com>]

we use it here primarily for the ability it provides in secure messages over
icq and one of the others it supports, as far as security, it does i blv,
store passwords and the like in the registry and other text files, here's an
old post i just found again related to trillion. but I'd think personally,
if someone can get to this, your already in trouble

Trillian has a system that creates .ini files for connecting to the
respective messenger services such as MSN,Yahoo,IRC,etc...which it stores in
the users' directory.For example-the settings of a particular user are
stored in his default user's directory.For connecting to MSN there is a file
called msn.ini.For Yahoo...there is yahoo.ini.And so on...These files
include the details of that user such as his email id to connect to that
service,his contact list,display options,and all that stuff.
But one thing that seems particularly interesting is that...it stores
the password to the service in an elementary encrypted format.
Trillian does not forbid access to any user's .ini files in any manner.
That leaves a huge security hole in the whole system.Anybody can just copy
and paste the "Profile" of the person to his own msn.ini file and gain full
access to the victim's respective service.Also the masked password appears
in the connection manager field which can be easily unmasked using a
password revealer like Cain.Thus revealing the password of that person.So
all you need to do is just gain access to the victim's .ini files in the
Trillian>>Users>>Victim folder and the work is done.
The .ini file looks like this......
for example.....for msn service

[msn]
auto reconnect=1
save passwords=1
idle time=15
show buddy status=1
port=1863
server=messenger.hotmail.com
last msn=VICTIM () hotmail com
connect num=10
connect sec=60
save status=1
auto hotmail=1
ft port=6891
/*Profile starts*/
[profile 0]
name=VICTIM'S EMAIL ADDRESS () hotmail com
password=8B62F3F10AE39DE413E42 /*THIS IS THE ENCRYPTED PASSWORD*/
display name=DISPLAY NAME OF THE VICTIM
auto connect=1
status=1
/*Profile Ends*/
reverse0=CONTACT XXX () yahoo com
reverse1=CONTACT YYY () hotmail com
reverse2=CONTACT ZZZ () hotmail com

so all you need to do....create a new trillian account....and connect once
to the MSN or yahoo etc. service using ur own msn or yahoo account.So you
will have your own profile in the .ini file.Now just replace your own
profile in your own .ini file with the victim's and save the file.Just run
the .ini file once to make sure that the settings have applied to your own
account.Now restart Trillian and logon to your own account.The victim's
settings will be there in your connection manager.You can now connect to the
service thru the victims account or unmask the password.


-----Original Message-----
From: rogue [mailto:rogue () nocdemon net]
Sent: Wednesday, June 05, 2002 9:10 AM
To: vuln-dev () securityfocus com
Cc: security-basics () securityfocus com
Subject: Trillian Messaging Software


A bunch of users on my Win2k network are asking to install trillian
messaging software on their workstations because it allows messaging
across several systems (AIM, yahoo messenger, ICQ, etc) and i was
wondering if anyone has been here has been using it and if there are any
security issues which have surfaced before allowing this software on my
network. Thanks all!



--
==================
rogue () nocdemon net
             {\o0|
==================