[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040225012344.GD11615@accord.rackspace.com>
From: lschiere at users.sourceforge.net (Luke Schierer)
Subject: Advisory 02/2004: Trillian remote overflows -> maybe this is off-topic, but...
Jeff is absolutely correct. We've given them yahoo code, they have given
us yahoo code. Sean Egan and one of their heads, a guy named Scott, are
on good terms. no theft either way involved here.
luke
On Tue, Feb 24, 2004 at 08:50:49PM -0500, Jeff_Lopes@...ove.net wrote:
> It might be wise to go to http://gaim.sf.net and actually read the notes
> for 0.70. It says:
>
> "Our friends over at Cerulean Studios managed to break my speed record at
> cracking Yahoo authentication schemes with an impressive feat of hackery.
> They sent it over and here it is in Gaim 0.70. However, certain details of
> the authentication scheme depend on the challenge string the server sends
> us, and there's really no way to tell what it does until Yahoo starts
> sending new challenge strings. So you can expect a few more breakages to
> come soon. I wouldn't sign offline if I were you. Peep the ChangeLog."
>
> Does that mean it was stolen? Doesn't sound like it. It sounds like
> Trillian gave the code to Gaim.
>
> Jeff
>
>
>
>
>
> Tobias Weisserth <tobias@...sserth.de>
> Sent by: full-disclosure-admin@...ts.netsys.com
> 02/24/2004 04:23 PM
> Please respond to tobias
>
> To: full-disclosure@...ts.netsys.com
> cc: gaim@...flynn.com, sean.egan@...ghamton.edu,
> hermanator12002@...oo.com, chipx86@...px86.com, faceprint@...eprint.com,
> thekingant@...rs.sourceforge.net, lschiere@...rs.sourceforge.net
> Subject: Re: [Full-Disclosure] Advisory 02/2004: Trillian
> remote overflows -> maybe this is off-topic, but...
>
>
> Hi everybody,
>
> Am Di, den 24.02.2004 schrieb Stefan Esser um 19:52:
> > ...
> > "What is Trillian?
> >
> > Trillian is a skinnable, interoperable instant messaging client.
> > Grab the best IM client available on the Internet today!
> > Trillian .74 is completely free, with no spyware and no ads.
> > Over 10 million downloads can't be wrong!"
>
> "Completely free". Aha. Where is the source code and a suitable license
> to modify and share modifications?
>
> "No spyware". Aha. How can we know without the source? Well, I guess we
> have to take their word.
>
> > While playing around with the recently found Gaim vulnerabilities
> > it was discovered that two of them also affect Trillian and allow
> > remote compromise.
>
> Is this a coincidence?
>
> > Details:
> >
> > While testing the developed exploits against other instant
> > messaging clients it was discovered that Trillian as one of the
> > most popular 3rd party instant client for the windows operating
> > system is indeed vulnerable to the bugs discovered in the GAIM
> > sourcecode
>
> Know I wonder if this is indeed a coincidence. I'm not too familiar with
> the protocols involved and the way code is written to utilise them, but
> doesn't the fact that the GAIM exploits work without modification on
> Trillian imply that Trillian maybe is using the parts of the same code
> as GAIM? Just a stupid question. But I really don't know. Please
> enlighten me.
>
> > The bugs in question are
> >
> > [01 - AIM/Oscar DirectIM Integer Overflow]
> >
> > When Trillian receives a DirectIM packet with a size above 8kb
> > it spawns a thread to receive the complete packet. This thread
> > allocates a buffer for the incoming packet and one extra byte.
> > This procedure suffers from an integer overflow when the size
> > is UINT_MAX and will only allocate a buffer of minimum size
> > in that case. This buffer is then filled with multiple calls to
> > recv() which will result in an arbitrary size heap overflow.
> >
> > [02 - Yahoo Packet Parser Overflow]
> >
> > A Yahoo Messenger packet consist of a header and a list of keys
> > with their associated values. When reading an oversized keyname
> > a standard stackoverflow can be triggered.
> >
> > The code below is part of Trillian since version 0.71 which was
> > released on the 18th december 2001. It was manually decompiled.
> > The variable names were taken from the GAIM source code. If you
> > compare the decompiled code with the code in yahoo.c (revision
> > 1.12 from 15th nov 2001) you will realise that it is more or
> > less identical. It is up to the reader to find an explanation
> > how this GPL licensed codesnippet ended up in Trillian.
>
> AHA! Got you. This must be pretty embarrassing for Trillian. Is someone
> from the GAIM team reading this list?
>
> [rest snipped]
>
> I'd like to know from the Trillian people how they explain this
> "coincidence". Widespread abuse of GPL software seems to become more and
> more common.
>
> kind regards,
> Tobias Weissert
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists