lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <OF664E67C1.110AB8C6-ON05256E45.000657D6-85256E45.000A04D6@internalgroove.net>
From: Jeff_Lopes at groove.net (Jeff_Lopes@...ove.net)
Subject: Advisory 02/2004: Trillian remote overflows	-> maybe
 this is off-topic, but...

It might be wise to go to http://gaim.sf.net and actually read the notes 
for 0.70. It says:

"Our friends over at Cerulean Studios managed to break my speed record at 
cracking Yahoo authentication schemes with an impressive feat of hackery. 
They sent it over and here it is in Gaim 0.70. However, certain details of 
the authentication scheme depend on the challenge string the server sends 
us, and there's really no way to tell what it does until Yahoo starts 
sending new challenge strings. So you can expect a few more breakages to 
come soon. I wouldn't sign offline if I were you. Peep the ChangeLog."

Does that mean it was stolen? Doesn't sound like it. It sounds like 
Trillian gave the code to Gaim.

Jeff





Tobias Weisserth <tobias@...sserth.de>
Sent by: full-disclosure-admin@...ts.netsys.com
02/24/2004 04:23 PM
Please respond to tobias
 
        To:     full-disclosure@...ts.netsys.com
        cc:     gaim@...flynn.com, sean.egan@...ghamton.edu, 
hermanator12002@...oo.com, chipx86@...px86.com, faceprint@...eprint.com, 
thekingant@...rs.sourceforge.net, lschiere@...rs.sourceforge.net
        Subject:        Re: [Full-Disclosure] Advisory 02/2004: Trillian 
remote overflows        -> maybe this is off-topic, but...


Hi everybody,

Am Di, den 24.02.2004 schrieb Stefan Esser um 19:52:
> ...
>    "What is Trillian?
> 
>     Trillian is a skinnable, interoperable instant messaging client. 
>     Grab the best IM client available on the Internet today! 
>     Trillian .74 is completely free, with no spyware and no ads. 
>     Over 10 million downloads can't be wrong!"

"Completely free". Aha. Where is the source code and a suitable license
to modify and share modifications?

"No spyware". Aha. How can we know without the source? Well, I guess we
have to take their word.

>    While playing around with the recently found Gaim vulnerabilities
>    it was discovered that two of them also affect Trillian and allow
>    remote compromise.

Is this a coincidence?
 
> Details:
> 
>    While testing the developed exploits against other instant
>    messaging clients it was discovered that Trillian as one of the
>    most popular 3rd party instant client for the windows operating
>    system is indeed vulnerable to the bugs discovered in the GAIM
>    sourcecode

Know I wonder if this is indeed a coincidence. I'm not too familiar with
the protocols involved and the way code is written to utilise them, but
doesn't the fact that the GAIM exploits work without modification on
Trillian imply that Trillian maybe is using the parts of the same code
as GAIM? Just a stupid question. But I really don't know. Please
enlighten me.

>    The bugs in question are
> 
>    [01 - AIM/Oscar DirectIM Integer Overflow]
> 
>    When Trillian receives a DirectIM packet with a size above 8kb
>    it spawns a thread to receive the complete packet. This thread
>    allocates a buffer for the incoming packet and one extra byte.
>    This procedure suffers from an integer overflow when the size
>    is UINT_MAX and will only allocate a buffer of minimum size
>    in that case. This buffer is then filled with multiple calls to
>    recv() which will result in an arbitrary size heap overflow.
> 
>    [02 - Yahoo Packet Parser Overflow]
> 
>    A Yahoo Messenger packet consist of a header and a list of keys
>    with their associated values. When reading an oversized keyname
>    a standard stackoverflow can be triggered. 
> 
>    The code below is part of Trillian since version 0.71 which was
>    released on the 18th december 2001. It was manually decompiled.
>    The variable names were taken from the GAIM source code. If you
>    compare the decompiled code with the code in yahoo.c (revision
>    1.12 from 15th nov 2001) you will realise that it is more or
>    less identical. It is up to the reader to find an explanation
>    how this GPL licensed codesnippet ended up in Trillian.

AHA! Got you. This must be pretty embarrassing for Trillian. Is someone
from the GAIM team reading this list?

[rest snipped]

I'd like to know from the Trillian people how they explain this
"coincidence". Widespread abuse of GPL software seems to become more and
more common.

kind regards,
Tobias Weissert

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040224/b59bc6cd/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ