LogicLibrary BugScan Vulnerability Summary Report (VSR)
Trillian 2.0, 3.0 and 3.1
3/23/2005
I. Background
This report is based on the example in �Guidelines for Security
Vulnerability Reporting and Response,� provided by the Organization
for Internet Safety (OIS). The template for this document can be
found at http://www.oisafety.org/guidelines/secresp.html.
Trillian is an all-in-one instant messaging client on Windows,
produced by Cerulean Studios. It allows users to be on several IM and
chat networks all via a single client. It also has an extensible
plug-in system and supplies plug-ins for RSS feed reading, POP3 mail
notifications, etc.
II. Description
The AIM, Yahoo, MSN, RSS and other plug-ins connect to an external
Web server at various points. A buffer iteration overflow in their
handling of HTTP 1.1 response headers in these plug-ins was found
using BugScan 2003A. For attackers to exploit this vulnerability,
they would need to take over the Web server being connected to or
DNS/route poison the victim into connecting to their malicious Web
server.
The vulnerability can be demonstrated in Trillian 2.0 by setting up a
netcat listener on port 80and then pointing Trillian's proxy, RSS
reader or anything else that connects to HTTP to the netcat listener.
After the client connects, piping a very long string followed by a
carriage return will reliably crash the client. Specially crafted
input may result in malicious code being executed under the context
of the user that Trillian is running as. This problem is compounded
because the same vulnerable code appears to have been copied into
several different components and locations.
In Trillian 3.0, many instances of the bug were fixed, but at least
one has persisted in the Yahoo IM component. This mistake is probably
due to the code duplication mentioned above. Trillian 3.0 is compiled
with the �Buffer Security Check� option in Visual C++ 7.1 (also known
as stack canaries), which helps prevent the exploitation of
stack-based overflows. Since this is a heap overflow, the security
check does not appear to help.
In Trillian 3.1, the aforementioned Yahoo IM vulnerabilities have
still not been fixed. There are still two exploitable buffer
iteration bugs. One is at offset 0x520296c6 and the other is at
offset 0x5201a05f. A Trillian developer who has access to the symbols
and source code should use these offsets to locate and fix these
problems.
III. Analysis
These bugs were found using BugScan 2003A, which was released in
October 2003. BugScan 2003A was able to detect the buffer iteration
bug and the fact that it was likely to be exploitable due to its
operating on user-supplied data. You can see another example of the
exploitable code by looking at location 0x10004464 in Trillian 2.0's
rss.dll. The vulnerable source probably looks approximately like
this:
while ((ch != '\n') && (bytes != 0))
{
int bytes = recv(socket, &ch, 1, ...);
*buf++ = ch;
}
The buffer will overflow if a long string with many characters is
received before the newline character over this network connection.
IV. Affected Configurations
All Trillian 2.0 versions have many of these kinds of exploitable
vulnerabilities. Many were fixed in Trillian 3.0 and 3.1, but some
still remain.
IV. Vendor Response
While initially responsive, Cerulean stopped responding to emails
after detailed reports were given. No official response at the time
of the issuance of this report.
V. CVE and OSVDB information
No official CVE or OSVDB number assigned at the time of the issuance
of this report.
VI. Disclosure Timeline
October 2003 Initial vendor notification.
November 2003 Notified vendor again via support IRC channels,
verified reception of BugScan report.
January 2004 Vendor promised fix in upcoming 3.0 release.
December 2004 Trillian 3.0 released, second BugScan showed a few
unfixed vulnerabilities remained.
February 2005 Contacted Trillian again, specifying locations of
unfixed problems.
February 18, 2005 Contacted specific employees and forwarded the VSR.
Received no response.
February 23, 2005 Contacted specific employees and forwarded the VSR.
Received no response.
February 24, 2005 Trillian 3.1 update released with no additional
security fixes from Trillian 3.0.
VII. Conclusion
LogicLibrary would like to assist in resolving this matter with
Cerulean. The resolution of these issues will be helpful to Cerulean
users, including LogicLibrary. It is recommended that users update
their version of Trillian to the latest 3.1 release, avoid using the
Yahoo IM component until patched, and use code analysis tools to
verify third-party software, such as Trillian and its plug-ins.
For more information, please contact Ralph Massaro
<ralph.massaro@xxxxxxxxxxxxxxxx>.
The public key to verify the authenticity of this email is located at
https://www.mylogiclibrary.com/pgp-pub.txt.
