nV News Forums

 
 

nV News Forums (http://www.nvnews.net/vbulletin/index.php)
-   General Software (http://www.nvnews.net/vbulletin/forumdisplay.php?f=10)
-   -   Two or more exploitable holes in trillian's irc module (http://www.nvnews.net/vbulletin/showthread.php?t=304)

volt 08-01-02 11:59 PM

Two or more exploitable holes trillian irc module
 
You might want to stop using IRC and DCC in trillian until there is a patch :)

Sent the following advisory to trillian: Tue, 16 Jul 2002 16:49:19 -0400 (EDT)

Submitted by : Josh (josh@pulltheplug.com),
omega (mtwoar@hotmail.com) on July 16th, 2002
Vulnerability : Format strings bug and buffer overflow in the IRC client of Trillian
Tested On : Trillian v0.73,0.72
Remote : Yes
Greets to : SooT, zen-parse, arcanum, lockdown, brian, Bryan S.,
#social on ptp, jade, fr3n3tic

There exists a format strings vulnerability in the way trillian handles channel
invites. It's invoked by merely joining a channel, #%n%n%n for example, and inviting the
victim to it. Using a specially crafted invitation it is possible to overwrite EIP or
EBP, depending on the method you chose. While the format strings exploit would be a hard
one to write, treating this as a text book buffer overflow by using a string like
#%4095x<some 4 byte addy here>, you can overwrite EIP with ease. The only problem with
exploitation after overwriting EIP is getting the incredibly large win32 shellcode somewhere
where it can be located, and where it's not broken up. IRC messages allow only 448 bytes
per message. It might be possible, though, to initiate a DCC chat with the user (which they
would have to accept) and store the shellcode there. Another option is to store the
shellcode in multiple messages and have the shellcode itself jump around... either way
exploitation isn't trivial.
The next overflow is entirely unrelated to the above, but exists in the DCC chat
itself. Flooding the user with about 4282 characters in one dcc message will overwrite
EAX

saturnotaku 08-02-02 07:33 PM

It doesn't really matter too much for me becuase Trillian's implementation of IRC sucks nutter anyway - you're lucky if you can stay connected to a server for more than 2 minutes.

volt 08-02-02 08:51 PM

hehehe, I never even used it :)
thought it might be of interest for some.

|JuiceZ| 08-02-02 11:18 PM

Quote:

Originally posted by saturnotaku
It doesn't really matter too much for me becuase Trillian's implementation of IRC sucks nutter anyway - you're lucky if you can stay connected to a server for more than 2 minutes.
LOL! sho'nuff, I think I tried to connect to an irc srv using trillian once and have regretted it ever since. I use it for everything else but for irc, I'm stickin' w/ MiRC ;)

vampireuk 08-04-02 07:02 AM

Yeah I only use mIRC, anyone tried those crappy java chat boxes for it? god they suck:rolleyes: :D


All times are GMT -5. The time now is 05:44 PM.

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.