-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, this is my first mail to a mail list at all and additionally my English is not as perfect as it should be... i know.
I verified this overflow vulnerability and found some interesting facts coming along with that. If you try to copy a very very long URL to a conversation window (ICQ and MSN work as well as IRC) the application will end up in a denial of service situation. iDefense Labs only reported their issue only to the IRC module but I think this should work with all the other modules too. greetings from Germany, Marvin Frick iDefense Labs wrote: > Cerulean Studios Trillian Multiple IRC Vulnerabilities > > iDefense Security Advisory 04.30.07 > http://labs.idefense.com/intelligence/vulnerabilities/ > Apr 30, 2007 > > I. BACKGROUND > > Cerulean Studios Trillian is a multi-protocol chat application that > supports IRC, ICQ, AIM and MSN protocols. More information can be found > on the vendor's site at the following URL. > > http://www.ceruleanstudios.com/learn/ > > II. DESCRIPTION > > Remote exploitation of multiple vulnerabilities in the Internet Relay > Chat (IRC) module of Cerulean Studios' Trillian could allow for the > interception of private conversations or execution of code as the > currently logged on user. > > When handling long CTCP PING messages containing UTF-8 characters, it is > possible to cause the Trillian IRC client to return a malformed response > to the server. This malformed response is truncated and is missing the > terminating newline character. This could allow the next line sent to > the server to be improperly sent to an attacker. > > When a user highlights a URL in an IRC message window Trillian copies > the data to an internal buffer. If the URL contains a long string of > UTF-8 characters, it is possible to overflow a heap based buffer > corrupting memory in a way that could allow for code execution. > > A heap overflow can be triggered remotely when the Trillian IRC module > receives a message that contains a font face HTML tag with the face > attribute set to a long UTF-8 string. > > III. ANALYSIS > > Exploitation of this vulnerability allows remote attackers to intercept > private communications for Trillian IRC users or execute code with the > credentials of the currently logged on user. > > In order to exploit the highlighted URL vulnerability, users would have > to highlight the malicious URL. > > IV. DETECTION > > iDefense has confirmed the existence of this vulnerability in Cerulean > Studios Trillian 3.1. > > V. WORKAROUND > > iDefense is currently unaware of any effective workaround for this > issue. > > VI. VENDOR RESPONSE > > Cerulean Studios has addressed these vulnerabilities within version > 3.1.5.0 of Trillian. For more information, visit their blog at the > following URL. > > http://blog.ceruleanstudios.com/ > > VII. CVE INFORMATION > > A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not > been assigned yet. > > VIII. DISCLOSURE TIMELINE > > 01/24/2007 Initial vendor notification > 01/30/2007 Initial vendor response > 04/30/2007 Coordinated public disclosure > > IX. CREDIT > > These vulnerabilities were reported to iDefense by enhalos. > > Get paid for vulnerability research > http://labs.idefense.com/methodology/vulnerability/vcp.php > > Free tools, research and upcoming events > http://labs.idefense.com/ > > X. LEGAL NOTICES > > Copyright © 2007 iDefense, Inc. > > Permission is granted for the redistribution of this alert > electronically. It may not be edited in any way without the express > written consent of iDefense. If you wish to reprint the whole or any > part of this alert in any other medium other than electronically, > please e-mail [EMAIL PROTECTED] for permission. > > Disclaimer: The information in the advisory is believed to be accurate > at the time of publishing based on currently available information. Use > of the information constitutes acceptance for use in an AS IS condition. > There are no warranties with regard to this information. Neither the > author nor the publisher accepts any liability for any direct, > indirect, or consequential loss or damage arising from use of, or > reliance on, this information. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOk7xQPlx1BVfqsgRAnA1AKCLoqpCoScJEha7+3m7pm9GmBPVcACeLDZv 2m/Ng8VkoP5/soPy2raDwFw= =buw0 -----END PGP SIGNATURE-----
