Arbitrary code execution in Trillian
As recent demos for Firefox and Internet Explorer have shown, launching external applications from within a browser may cause security problems due to arbitrary code execution. The authors of a previous cross-application scripting demo have now demonstrated a similar problem in Trillian, a messaging client. During installation, Trillian registers the URI aim:// (AOL Instant Messenger) to allow the browser to launch the client when an aim link is clicked. Trillian does not properly filter the received data. A malicious URI may cause a buffer overflow in the aim.dll module, which could be exploited by attackers to inject arbitrary code and execute it with user privileges. However, the public demo only causes the application to crash.
Also, a malformed URI may be used to write a batch file to the Windows startup folder to be executed the next time Windows is restarted. The public demo stores a file in the startup folder that launches the calculator. Due to path specifications, the demo only runs on systems in English language. The bugs were found in Trillian Basic 126.96.36.199 but other versions might also be affected. A new version has not been released yet. At present, the only workaround is to unregister the URI. According to US-CERT, this is done by deleting the HKEY_CLASSES_ROOT\AOL registry key.
The authors of the demo point out that there are many other examples for such holes based on registered URIs. Current examples are only the tip of the iceberg. Registered URIs serve as a kind of remote gateway into a user’s computer. The authors advise users to unregister all unnecessary URIs, but do not explain which URIs are actually unnecessary.
The Windows scripting host tool "Dump URL Handlers" helps users to search for such URIs; it searches the registry and displays all registered URIs together with the corresponding application.
- Cross Application Scripting Demo / URI Vulnerabilities Demo (Trillian 0-day), security advisory by Nate Mcfeters, Billy (BK) Rios and Raghav "the Pope" Dub
- [ticker:uk_92525 Vulnerability through parallel installation of Firefox 2 and Internet Explorer], heise Security news