Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Trillian Pro Rendezvous XMPP HTML Decoding Heap Corruption

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Trillian Pro Rendezvous XMPP HTML Decoding Heap Corruption
Date: 7 May 2007 12:47:55 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Trillian Pro Rendezvous XMPP HTML Decoding Heap Corruption
------------------------------------------------------------------------


SUMMARY

A vulnerability allows remote attackers to execute arbitrary code on 
vulnerable installations of Cerulean Studios Trillian Pro. Authentication 
is not required to exploit this vulnerability.

DETAILS

Vulnerable Systems:
 * Trillian Pro version 3.1 build 121

The specific flaw exists in the Rendezvous / XMPP (Extensible Messaging 
and Presence Protocol) messaging subsystem. Trillian locates nearby users 
through the '_presence' mDNS (multicast DNS) service on UDP port 5353. 
Once a user is registered through mDNS, messaging is accomplished via XMPP 
over TCP port 5298. Within plugins\rendezvous.dll the follow logic is 
applied to received messages:

    4900C470 str_len:
    4900C470     mov cl, [eax]      ; *eax = message+1
    4900C472     inc eax
    4900C473     test cl, cl
    4900C475     jnz short str_len

    4900C477     sub eax, edx
    4900C479     add eax, 128       ; strlen(message+1) + 128
    4900C47E     push eax
    4900C47F     call _malloc

The string length of the the supplied message is calculated and a heap 
buffer in the amount of length + 128 is allocated to store a copy of the 
message which is then passed through expatxml.xmlComposeString(), a 
function called with the following prototype:

    plugin_send(MYGUID, "xmlComposeString", struct xml_string_t *);

    struct xml_string_t {
        unsigned int      struct_size;
        char              *string_buffer;
        struct xml_tree_t *xml_tree;
    };

The xmlComposeString() routine calls through to expatxml.19002420() which, 
among other things, HTML encodes the characters &, > and < as &, > and < 
respectively. This behavior can be seen in the following disassembly 
snippet:

    19002492 push 0
    19002494 push 0
    19002496 push offset str_Amp       ; "&"
    1900249B push offset ampersand     ; "&"
    190024A0 push eax
    190024A1 call sub_190023A0

    190024A6 push 0
    190024A8 push 0
    190024AA push offset str_Lt        ; "<"
    190024AF push offset less_than     ; "<"
    190024B4 push eax
    190024B5 call sub_190023A0

    190024BA push
    190024BC push
    190024BE push offset str_Gt        ; ">"
    190024C3 push offset greater_than  ; ">"
    190024C8 push eax
    190024C9 call sub_190023A0

As the originally calculated string length does not account for this 
string expansion, the following subsequent in-line memory copy operation 
within rendezvous.dll can trigger an exploitable memory corruption:

    4900C4EC mov ecx, eax
    4900C4EE shr ecx, 2
    4900C4F1 rep movsd
    4900C4F3 mov ecx, eax
    4900C4F5 and ecx, 3
    4900C4F8 rep movsb

Note that binary data can be transmitted across the XMPP protocol via 
UTF-8 encoding.

Vendor Response:
Cerulean Studios has issued an update to correct this vulnerability. More 
details can be found at:  <http://blog.ceruleanstudios.com/> 
http://blog.ceruleanstudios.com/

Disclosure Timeline:
2007.02.15 - Vulnerability reported to vendor
2007.05.02 - Digital Vaccine released to TippingPoint customers
2007.05.02 - Coordinated public release of advisory

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2418> 
CVE-2007-2418


ADDITIONAL INFORMATION

The information has been provided by  <mailto:Pedram Amini, TippingPoint 
Security Research Team> Pedram Amini, TippingPoint Security Research Team.
The original article can be found at:  
<http://dvlabs.tippingpoint.com/advisory/TPTI-07-06> 
http://dvlabs.tippingpoint.com/advisory/TPTI-07-06



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Trillian Pro Rendezvous XMPP HTML Decoding Heap Corruption, SecuriTeam <=
Previous by Date:  [UNIX] HP Tru64 UNIX Running the ps command, Local Disclosure of Sensitive Information, SecuriTeam
Next by Date:  [NEWS] IAX2 Users can Cause Unauthorized Data Disclosure, SecuriTeam
Previous by Thread:  [UNIX] HP Tru64 UNIX Running the ps command, Local Disclosure of Sensitive Information, SecuriTeam
Next by Thread:  [NEWS] IAX2 Users can Cause Unauthorized Data Disclosure, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]