Did you even bother notifying the vendor? Or crediting the person who
originally discovered this? Unless you happen to be him, although it
doesn't appear so from your site.
Anyway, this bug has been known about for a while, and is fixed in the next
version. Unfortunately they aren't releasing a patch before then.
----Original Message Follows----
From: flur <flur (at) flurnet (dot) org [email concealed]>
To: bugtraq Security List <bugtraq (at) securityfocus (dot) com [email concealed]>
Subject: Trillian Remote DoS
Date: Fri, 04 Jul 2003 18:09:55 -0400
Application: Trillian
Developer(s): Cerulean Studios (http://www.trillian.cc)
Scope: Remote DoS & Possible Exploit
Tested on: Trillian 1.0 Pro, 0.74 Freeware
It is possible to crash Trillian by sending a corrupt 'TypingUser' message.
Replacing any of the characters in 'TypingUser' will cause Trillian to
crash. If more then 10 characters are used, or if the colon is omitted,
Trillian will not crash. The crash occurs due to a function within msn.dll
for both Trillian 1 and 0.74. This may be exploitable further.
In order to exploit this condition, no code is necessary- simply hex edit a
messenger client, replacing the string 'TypingUser' with any other string of
the same length (or simply changing a letter or two). However this method of
exploitation does break Microsoft's EULA/TOS, and you are not encouraged to
utilize a broken client in this way except in an educational context. This
'hack' also prevents other non-trillian Messenger clients from detecting
when a user is typing.
Crash Summary:
MOV ECX,DWORD PTR DS:[EDX] ; EDX is uninitialized
The crash looks something like this:
Instruction at 0x####8826 referenced memory at 0x00000000
Our preliminary tests showed that memory was not manipulable, and thus this
bug is not exploitable further then DoS. Please make further research public
if you discover otherwise.
originally discovered this? Unless you happen to be him, although it
doesn't appear so from your site.
Anyway, this bug has been known about for a while, and is fixed in the next
version. Unfortunately they aren't releasing a patch before then.
----Original Message Follows----
From: flur <flur (at) flurnet (dot) org [email concealed]>
To: bugtraq Security List <bugtraq (at) securityfocus (dot) com [email concealed]>
Subject: Trillian Remote DoS
Date: Fri, 04 Jul 2003 18:09:55 -0400
Application: Trillian
Developer(s): Cerulean Studios (http://www.trillian.cc)
Scope: Remote DoS & Possible Exploit
Tested on: Trillian 1.0 Pro, 0.74 Freeware
It is possible to crash Trillian by sending a corrupt 'TypingUser' message.
Replacing any of the characters in 'TypingUser' will cause Trillian to
crash. If more then 10 characters are used, or if the colon is omitted,
Trillian will not crash. The crash occurs due to a function within msn.dll
for both Trillian 1 and 0.74. This may be exploitable further.
In order to exploit this condition, no code is necessary- simply hex edit a
messenger client, replacing the string 'TypingUser' with any other string of
the same length (or simply changing a letter or two). However this method of
exploitation does break Microsoft's EULA/TOS, and you are not encouraged to
utilize a broken client in this way except in an educational context. This
'hack' also prevents other non-trillian Messenger clients from detecting
when a user is typing.
Crash Summary:
MOV ECX,DWORD PTR DS:[EDX] ; EDX is uninitialized
The crash looks something like this:
Instruction at 0x####8826 referenced memory at 0x00000000
Sample TCP session to crash Trillian:
MIME-Version: 1.0
Content-Type: text/x-msmsgscontrol
TypingXxxx: attacker (at) blah (dot) com [email concealed]
Our preliminary tests showed that memory was not manipulable, and thus this
bug is not exploitable further then DoS. Please make further research public
if you discover otherwise.
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus
[ reply ]