Holes in Trillian
The security agency iDefense has discovered gaps in security in the Trillian instant messenger client's internet relay chat module. Attackers can inject arbitrary malicious code or read the private messages of users.
The manufacturer Cerulean has closed the gaps in the Trillian client version 184.108.40.206. The 220.127.116.11 version is currently ready for download on the website. Trillian users should update the software as soon as possible to the current version.
This vulnerability is exploited by means of an IRC specific PING-command with characters in UTF-8 encoding the Trillian client can send an incorrectly formatted answer to the server, whereby it could then be forwarded to the attacker. Likewise, specially prepared links with UTF-8 characters are critical. The code that highlights the link can provoke a buffer overflow by means of deficient handling, allowing an attacker to inject code. IRC messages containing a font face HTML tag with long 8-bit UTF character strings can have the same effect.
TippingPoint has discovered another vulnerability in Trillian that attackers can use to inject malicious program code. The Instant Messaging client uses the _presence mDNS service (multicast DNS) on port 5353 (UDP) to detect nearby clients. Once Trillian has registered the user in the mDNS system, further communication takes place via port 5298 (TCP) with the Extensible Messaging and Presence Protocol (XMPP). The functions for the handling of messages in rendezvous.dll first copy the message into a sufficiently large buffer but then begin replacing symbols such as >, < with their HTML character entities, taking up more space. Specially prepared messages can cause the buffer to overflow and allow injected code to be executed. Version 18.104.22.168 of Trillian closes this hole.
Vendor Cerulean has closed the hole in version 22.214.171.124 in Trillian clients. Version 126.96.36.199 can be downloaded from the vendor's website. Trillian users are advised to update their software as quickly as possible.
- Cerulean Studios Trillian Multiple IRC Vulnerabilities, security announcement from iDefense
- Download fixed Trillian versions