lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1077670339.8766.79.camel@Star.BerthoudWireless.net>
From: security at 303underground.com (Scott Taylor)
Subject: Advisory 02/2004: Trillian remote overflows
	-> maybe this is off-topic, but...

>From gaim's own news... so of course there will be some similarities in
parts of their yahoo code.

 September 28th, 2003 -
9:53PM EDT
0.70   




Our friends over at Cerulean Studios
managed to break my speed record at
cracking Yahoo authentication
schemes with an impressive feat of
hackery. They sent it over and here
it is in Gaim 0.70. However, certain
details of the authentication scheme
depend on the challenge string the
server sends us, and there's really
no way to tell what it does until
Yahoo starts sending new challenge
strings. So you can expect a few
more breakages to come soon. I
wouldn't sign offline if I were you.
Peep the ChangeLog.

On Tue, 2004-02-24 at 14:23, Tobias Weisserth wrote:
> >    [02 - Yahoo Packet Parser Overflow]
> >    
> >    A Yahoo Messenger packet consist of a header and a list of keys
> >    with their associated values. When reading an oversized keyname
> >    a standard stackoverflow can be triggered. 
> >    
> >    The code below is part of Trillian since version 0.71 which was
> >    released on the 18th december 2001. It was manually decompiled.
> >    The variable names were taken from the GAIM source code. If you
> >    compare the decompiled code with the code in yahoo.c (revision
> >    1.12 from 15th nov 2001) you will realise that it is more or
> >    less identical. It is up to the reader to find an explanation
> >    how this GPL licensed codesnippet ended up in Trillian.
> 
> AHA! Got you. This must be pretty embarrassing for Trillian. Is someone
> from the GAIM team reading this list?
> 
--
Scott Taylor - <security@...underground.com> 

Laetrile is the pits.

    


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ