Trillian DirectIM Packet Remote Overflow

2004-02-24T00:00:00
ID OSVDB:4056
Type osvdb
Reporter Stefan Esser(sesser@hardened-php.net)
Modified 2004-02-24T00:00:00

Description

Vulnerability Description

A remote overflow exists in Cerulean Studios' Trillian and Trillian Pro. The AOL Instant Messenger DirectIM parser fails to properly allocate a parsing buffer resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

Technical Description

When Trillian receives a DirectIM packet with a size above 8kb, it spawns a thread to receive the complete packet. This thread allocates a buffer for the incoming packet and one extra byte. This procedure suffers from an integer overflow when the size is UINT_MAX and will only allocate a buffer of minimum size in that case. This buffer is then filled with multiple calls to recv() which will result in an arbitrary size heap overflow.

This vulnerability was discovered via testing of exploit code for previously located similar GAIM vulnerabilities. It was determined that the same portion of the code is vulnerable to the same problems in the GAIM source code. Although proof-of-concept code has not been released, it is believed to exist privately.

Solution Description

Upgrade to Trillian version 0.74G or Trillian Pro version 2.011 or higher, as it has been reported to fix this vulnerability. Patches are also available. An upgrade is required as there are no known workarounds.

Short Description

A remote overflow exists in Cerulean Studios' Trillian and Trillian Pro. The AOL Instant Messenger DirectIM parser fails to properly allocate a parsing buffer resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

References:

Vendor URL: http://www.trillian.cc Secunia Advisory ID:10973 Related OSVDB ID: 4060 Other Advisory URL: http://security.e-matters.de/advisories/022004.html Other Advisory URL: http://security.e-matters.de/advisories/012004.html Nessus Plugin ID:12076 Keyword: x ISS X-Force ID: 15303 CVE-2004-2304