what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TPTI-07-06.txt

TPTI-07-06.txt
Posted May 3, 2007
Authored by Pedram Amini | Site dvlabs.tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cerulean Studios Trillian Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists in the Rendezvous / XMPP (Extensible Messaging and Presence Protocol) messaging subsystem. Trillian locates nearby users through the '_presence' mDNS (multicast DNS) service on UDP port 5353. Once a user is registered through mDNS, messaging is accomplished via XMPP over TCP port 5298.

tags | advisory, remote, arbitrary, udp, tcp, protocol
advisories | CVE-2007-2418
SHA-256 | 2fbe961a03444391b1fc35b9482c4017e92353628e9ec1605fa9996224f7441b

TPTI-07-06.txt

Change Mirror Download
TPTI-07-06: Trillian Pro Rendezvous XMPP HTML Decoding Heap Corruption
http://dvlabs.tippingpoint.com/advisory/TPTI-07-06
May 2, 2007

-- CVE ID:
CVE-2007-2418

-- Affected Vendor:
Cerulean Studios

-- Affected Products:
Trillian Pro 3.1 build 121 and below

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since May 2, 2007 by Digital Vaccine protection
filter ID 5328. For further product information on the TippingPoint IPS:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Cerulean Studios Trillian Pro.
Authentication is not required to exploit this vulnerability.

The specific flaw exists in the Rendezvous / XMPP (Extensible Messaging
and Presence Protocol) messaging subsystem. Trillian locates nearby
users through the '_presence' mDNS (multicast DNS) service on UDP port
5353. Once a user is registered through mDNS, messaging is accomplished
via XMPP over TCP port 5298. Within plugins\rendezvous.dll the follow
logic is applied to received messages:

4900C470 str_len:
4900C470 mov cl, [eax] ; *eax = message+1
4900C472 inc eax
4900C473 test cl, cl
4900C475 jnz short str_len

4900C477 sub eax, edx
4900C479 add eax, 128 ; strlen(message+1) + 128
4900C47E push eax
4900C47F call _malloc

The string length of the the supplied message is calculated and a heap
buffer in the amount of length + 128 is allocated to store a copy of
the message which is then passed through expatxml.xmlComposeString(), a
function called with the following prototype:

plugin_send(MYGUID, "xmlComposeString", struct xml_string_t *);

struct xml_string_t {
unsigned int struct_size;
char *string_buffer;
struct xml_tree_t *xml_tree;
};

The xmlComposeString() routine calls through to expatxml.19002420()
which, among other things, HTML encodes the characters &, > and < as &,
> and < respectively. This behavior can be seen in the following
disassembly snippet:

19002492 push 0
19002494 push 0
19002496 push offset str_Amp ; "&"
1900249B push offset ampersand ; "&"
190024A0 push eax
190024A1 call sub_190023A0

190024A6 push 0
190024A8 push 0
190024AA push offset str_Lt ; "<"
190024AF push offset less_than ; "<"
190024B4 push eax
190024B5 call sub_190023A0

190024BA push
190024BC push
190024BE push offset str_Gt ; ">"
190024C3 push offset greater_than ; ">"
190024C8 push eax
190024C9 call sub_190023A0

As the originally calculated string length does not account for this
string expansion, the following subsequent in-line memory copy
operation within rendezvous.dll can trigger an exploitable memory
corruption:

4900C4EC mov ecx, eax
4900C4EE shr ecx, 2
4900C4F1 rep movsd
4900C4F3 mov ecx, eax
4900C4F5 and ecx, 3
4900C4F8 rep movsb

Note that binary data can be transmitted across the XMPP protocol via
UTF-8 encoding.

-- Vendor Response:
Cerulean Studios has issued an update to correct this vulnerability.
More details can be found at:

http://blog.ceruleanstudios.com/

-- Disclosure Timeline:
2007.02.15 - Vulnerability reported to vendor
2007.05.02 - Digital Vaccine released to TippingPoint customers
2007.05.02 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Pedram Amini, TippingPoint Security
Research Team.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close