[30607] in bugtraq
Trillian Remote DoS
daemon@ATHENA.MIT.EDU (flur)
Fri Jul 4 18:53:18 2003
Message-Id: <5.1.0.14.2.20030704180634.0421dba8@mail.tht.net>
Date: Fri, 04 Jul 2003 18:09:55 -0400
To: bugtraq Security List <bugtraq@securityfocus.com>
From: flur <flur@flurnet.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Application: Trillian
Developer(s): Cerulean Studios (http://www.trillian.cc)
Scope: Remote DoS & Possible Exploit
Tested on: Trillian 1.0 Pro, 0.74 Freeware
It is possible to crash Trillian by sending a corrupt 'TypingUser' message.
Replacing any of the characters in 'TypingUser' will cause Trillian to
crash. If more then 10 characters are used, or if the colon is omitted,
Trillian will not crash. The crash occurs due to a function within msn.dll
for both Trillian 1 and 0.74. This may be exploitable further.
In order to exploit this condition, no code is necessary- simply hex edit
a messenger client, replacing the string 'TypingUser' with any other
string of the same length (or simply changing a letter or two). However
this method of exploitation does break Microsoft's EULA/TOS, and you are
not encouraged to utilize a broken client in this way except in an
educational context. This 'hack' also prevents other non-trillian Messenger
clients from detecting when a user is typing.
Crash Summary:
MOV ECX,DWORD PTR DS:[EDX] ; EDX is uninitialized
The crash looks something like this:
Instruction at 0x####8826 referenced memory at 0x00000000
Sample TCP session to crash Trillian:
MIME-Version: 1.0
Content-Type: text/x-msmsgscontrol
TypingXxxx: attacker@blah.com
Our preliminary tests showed that memory was not manipulable, and thus this
bug is not exploitable further then DoS. Please make further research
public if you discover otherwise.
____________________ __ _
~FluRDoInG flur@flurnet.org
http://www.flurnet.org
KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048
1876 B762 F909 91EB 0C02 C06B 83FF E6C5 8C2C 37C4
