Trillian Instant Messenger client fails to properly handle malformed URIs

Overview

The Trillian Instant Messaging client contains a buffer overflow vulnerability that may allow an attacker to execute code.

Description

A Uniform Resource Identifier (URI) is a string of characters that can be used to identify a location, resource, or protocol. The Trillian Instant Messenger client is an IM application that supports multiple services, including AOL Instant Messenger. Trillian registers itself as the default handler for aim: URIs during installation. Web browsers may pass URIs to other applications that have been registered to handle them.

A buffer overflow vulnerability exists in the Trillian Instant Messenger client. An attacker may exploit this vulnerability by convincing a user to open a malformed aim: URI inside of a web browser. When the web browser passes the malformed URI to the Trillian Instant Messenger client, the overflow may be triggered.

Note that some web browsers may present a dialog box warning that the aim: URI is being handed off to another program.

---

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user running Trillian.

---

Solution

Update
Trillian 3.1.7.0 has been released to address this issue.

---

Unregister the AIM protocols

Disabling the AIM protocol handler can mitigate this vulnerability. To unregister the protocol handler, delete or rename the following registry key:

HKEY_CLASSES_ROOT\AIM\

Note that when Trillian (trillian.exe) is started, it will attempt to recreate or repair the registry key. On Windows XP SP2 by default, Administrators and Power Users have permissions to modify the registry key. To prevent Trillian from recreating the registry key, run Trillian with a limited user account. Alternatively, change or delete the value for

HKEY_CLASSES_ROOT\AIM\shell\open\command

and change permissions so that the appropriate user groups can not recreate or repair the key.

Block access to**aim:**** URIs**

Administrators may partially mitigate this vulnerability by blocking access to the aim: URI using proxy server access control lists or the appropriate content filtering rule.

---

Vendor Information

786920

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cerulean Studios Affected

Updated: July 16, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

America Online, Inc. Not Affected

Updated: July 16, 2007

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://blog.ceruleanstudios.com/?p=170&gt;
• <http://www.ceruleanstudios.com/downloads/&gt;
• <http://www.xs-sniper.com/nmcfeters/Cross-App-Scripting-2.html&gt;
• <http://en.wikipedia.org/wiki/Uniform_Resource_Identifier&gt;
• <http://secunia.com/advisories/26086/&gt;
• <http://technet2.microsoft.com/windowsserver/en/library/2621d47b-714b-4549-8f21-29ea082ed76b1033.mspx?mfr=true&gt;

Acknowledgements

This issue was disclosed by Nate Mcfeters, Billy (BK) Rios, Raghav “the Pope” Dube.

This document was written by Ryan Giobbi.

Other Information

CVE IDs:	CVE-2007-3832
Severity Metric:	23.76 Date Public: