lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040225012344.GD11615@accord.rackspace.com>
From: lschiere at users.sourceforge.net (Luke Schierer)
Subject: Advisory 02/2004: Trillian remote overflows	-> maybe this is off-topic, but...

Jeff is absolutely correct. We've given them yahoo code, they have given 
us yahoo code.  Sean Egan and one of their heads, a guy named Scott, are 
on good terms.  no theft either way involved here.
luke

On Tue, Feb 24, 2004 at 08:50:49PM -0500, Jeff_Lopes@...ove.net wrote:
> It might be wise to go to http://gaim.sf.net and actually read the notes 
> for 0.70. It says:
> 
> "Our friends over at Cerulean Studios managed to break my speed record at 
> cracking Yahoo authentication schemes with an impressive feat of hackery. 
> They sent it over and here it is in Gaim 0.70. However, certain details of 
> the authentication scheme depend on the challenge string the server sends 
> us, and there's really no way to tell what it does until Yahoo starts 
> sending new challenge strings. So you can expect a few more breakages to 
> come soon. I wouldn't sign offline if I were you. Peep the ChangeLog."
> 
> Does that mean it was stolen? Doesn't sound like it. It sounds like 
> Trillian gave the code to Gaim.
> 
> Jeff
> 
> 
> 
> 
> 
> Tobias Weisserth <tobias@...sserth.de>
> Sent by: full-disclosure-admin@...ts.netsys.com
> 02/24/2004 04:23 PM
> Please respond to tobias
>  
>         To:     full-disclosure@...ts.netsys.com
>         cc:     gaim@...flynn.com, sean.egan@...ghamton.edu, 
> hermanator12002@...oo.com, chipx86@...px86.com, faceprint@...eprint.com, 
> thekingant@...rs.sourceforge.net, lschiere@...rs.sourceforge.net
>         Subject:        Re: [Full-Disclosure] Advisory 02/2004: Trillian 
> remote overflows        -> maybe this is off-topic, but...
> 
> 
> Hi everybody,
> 
> Am Di, den 24.02.2004 schrieb Stefan Esser um 19:52:
> > ...
> >    "What is Trillian?
> > 
> >     Trillian is a skinnable, interoperable instant messaging client. 
> >     Grab the best IM client available on the Internet today! 
> >     Trillian .74 is completely free, with no spyware and no ads. 
> >     Over 10 million downloads can't be wrong!"
> 
> "Completely free". Aha. Where is the source code and a suitable license
> to modify and share modifications?
> 
> "No spyware". Aha. How can we know without the source? Well, I guess we
> have to take their word.
> 
> >    While playing around with the recently found Gaim vulnerabilities
> >    it was discovered that two of them also affect Trillian and allow
> >    remote compromise.
> 
> Is this a coincidence?
>  
> > Details:
> > 
> >    While testing the developed exploits against other instant
> >    messaging clients it was discovered that Trillian as one of the
> >    most popular 3rd party instant client for the windows operating
> >    system is indeed vulnerable to the bugs discovered in the GAIM
> >    sourcecode
> 
> Know I wonder if this is indeed a coincidence. I'm not too familiar with
> the protocols involved and the way code is written to utilise them, but
> doesn't the fact that the GAIM exploits work without modification on
> Trillian imply that Trillian maybe is using the parts of the same code
> as GAIM? Just a stupid question. But I really don't know. Please
> enlighten me.
> 
> >    The bugs in question are
> > 
> >    [01 - AIM/Oscar DirectIM Integer Overflow]
> > 
> >    When Trillian receives a DirectIM packet with a size above 8kb
> >    it spawns a thread to receive the complete packet. This thread
> >    allocates a buffer for the incoming packet and one extra byte.
> >    This procedure suffers from an integer overflow when the size
> >    is UINT_MAX and will only allocate a buffer of minimum size
> >    in that case. This buffer is then filled with multiple calls to
> >    recv() which will result in an arbitrary size heap overflow.
> > 
> >    [02 - Yahoo Packet Parser Overflow]
> > 
> >    A Yahoo Messenger packet consist of a header and a list of keys
> >    with their associated values. When reading an oversized keyname
> >    a standard stackoverflow can be triggered. 
> > 
> >    The code below is part of Trillian since version 0.71 which was
> >    released on the 18th december 2001. It was manually decompiled.
> >    The variable names were taken from the GAIM source code. If you
> >    compare the decompiled code with the code in yahoo.c (revision
> >    1.12 from 15th nov 2001) you will realise that it is more or
> >    less identical. It is up to the reader to find an explanation
> >    how this GPL licensed codesnippet ended up in Trillian.
> 
> AHA! Got you. This must be pretty embarrassing for Trillian. Is someone
> from the GAIM team reading this list?
> 
> [rest snipped]
> 
> I'd like to know from the Trillian people how they explain this
> "coincidence". Widespread abuse of GPL software seems to become more and
> more common.
> 
> kind regards,
> Tobias Weissert
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ