lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 03 May 2007 23:06:57 +0200
From: Marvin Frick <>
Subject: Re: iDefense Security Advisory 04.30.07: Cerulean Studios Trillian
 Multiple IRC Vulnerabilities

Hash: SHA1
Hi there,

this is my first mail to a mail list at all and additionally my
English is not as perfect as it should be... i know.

I verified this overflow vulnerability and found some interesting
facts coming along with that.
If you try to copy a very very long URL to a conversation window (ICQ
and MSN  work as well as IRC) the application will end up in a denial
of service situation.

iDefense Labs only reported their issue only to the IRC module but I
think this should work with all the other modules too.

greetings from Germany,
Marvin Frick

iDefense Labs wrote:
> Cerulean Studios Trillian Multiple IRC Vulnerabilities
> iDefense Security Advisory 04.30.07
> Apr 30, 2007
> Cerulean Studios Trillian is a multi-protocol chat application that
> supports IRC, ICQ, AIM and MSN protocols. More information can be found
> on the vendor's site at the following URL.
> Remote exploitation of multiple vulnerabilities in the Internet Relay
> Chat (IRC) module of Cerulean Studios' Trillian could allow for the
> interception of private conversations or execution of code as the
> currently logged on user.
> When handling long CTCP PING messages containing UTF-8 characters, it is
> possible to cause the Trillian IRC client to return a malformed response
> to the server. This malformed response is truncated and is missing the
> terminating newline character. This could allow the next line sent to
> the server to be improperly sent to an attacker.
> When a user highlights a URL in an IRC message window Trillian copies
> the data to an internal buffer. If the URL contains a long string of
> UTF-8 characters, it is possible to overflow a heap based buffer
> corrupting memory in a way that could allow for code execution.
> A heap overflow can be triggered remotely when the Trillian IRC module
> receives a message that contains a font face HTML tag with the face
> attribute set to a long UTF-8 string.
> Exploitation of this vulnerability allows remote attackers to intercept
> private communications for Trillian IRC users or execute code with the
> credentials of the currently logged on user.
> In order to exploit the highlighted URL vulnerability, users would have
> to highlight the malicious URL.
> iDefense has confirmed the existence of this vulnerability in Cerulean
> Studios Trillian 3.1.
> iDefense is currently unaware of any effective workaround for this
> issue.
> Cerulean Studios has addressed these vulnerabilities within version
> of Trillian. For more information, visit their blog at the
> following URL.
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
> been assigned yet.
> 01/24/2007  Initial vendor notification
> 01/30/2007  Initial vendor response
> 04/30/2007  Coordinated public disclosure
> These vulnerabilities were reported to iDefense by enhalos.
> Get paid for vulnerability research
> Free tools, research and upcoming events
> Copyright © 2007 iDefense, Inc.
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail for permission.
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
>  There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.

Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla -

Powered by blists - more mailing lists