Trillian XML标签缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184387 漏洞类型 缓冲区溢出
发布时间 2008-12-10 更新时间 2008-12-10
CVE编号 CVE-2008-5403 CNNVD-ID CNNVD-200812-158
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://www.securityfocus.com/bid/87463
https://cxsecurity.com/issue/WLB-2008120099
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-158
|漏洞详情
Trillian是一个聊天程序,和多种即时通讯程序使用相同的接口,包括AIM、ICQ、Yahoo!Messenger、MSNMessenger和IRC。Trillian的XML处理代码在处理畸形的XML标签时没有分配充足的空间,将其拷贝到新分配的缓冲区时可能会用攻击者提供的数据覆盖堆结构;此外XML处理代码在处理特殊格式的xml时可能会破坏内部数据结构,之后在释放这个数据结构时应用程序会多次释放单个块,这可能导致执行任意指令。Trillian的tooltip处理代码在创建图形的tooltip时生成了包含有文件名属性的XML标签,之后未经长度验证便直接将数据拷贝到了栈缓冲区,导致以客户端的权限执行任意指令。
|漏洞EXP
ZDI-08-079: Trillian AIM Plugin Malformed XML Tag Heap Overflow

Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-08-079

December 4, 2008

-- Affected Vendors:

Cerulean Studios

-- Affected Products:

Cerulean Studios Trillian

-- Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on

vulnerable installations of Cerulean Studios Trillian. Authentication is

not required to exploit this vulnerability.

The specific flaw exists within the XML processing code for Trillian.

When parsing a malformed XML tag, the application does not allocate

enough space for it's contents. During copying of this to the newly

allocated buffer, the application will overwrite heap structures with

attacker-supplied data that can then be leveraged to achieve code

execution with the privileges of the application.

-- Vendor Response:

Cerulean Studios has issued an update to correct this vulnerability. More

details can be found at:

http://blog.ceruleanstudios.com/?p=404

-- Disclosure Timeline:

2008-11-24 - Vulnerability reported to vendor

2008-12-04 - Coordinated public release of advisory

-- Credit:

This vulnerability was discovered by:

* Damian Put

-- About the Zero Day Initiative (ZDI):

Established by TippingPoint, The Zero Day Initiative (ZDI) represents

a best-of-breed model for rewarding security researchers for responsibly

disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research

through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is

used. TippingPoint does not re-sell the vulnerability details or any

exploit code. Instead, upon notifying the affected product vendor,

TippingPoint provides its customers with zero day protection through

its intrusion prevention technology. Explicit details regarding the

specifics of the vulnerability are not exposed to any parties until

an official vendor patch is publicly available. Furthermore, with the

altruistic aim of helping to secure a broader user base, TippingPoint

provides this vulnerability information confidentially to security

vendors (including competitors) who have a vulnerability protection or

mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,

is being sent by 3Com for the sole use of the intended recipient(s) and

may contain confidential, proprietary and/or privileged information.

Any unauthorized review, use, disclosure and/or distribution by any

recipient is prohibited.  If you are not the intended recipient, please

delete and/or destroy all copies of this message regardless of form and

any included attachments and notify 3Com immediately by contacting the

sender via reply e-mail or forwarding to 3Com at postmaster (at) 3com (dot) com. [email concealed]
|受影响的产品
Ceruleanstudios Trillian Pro 3.1.9 .0 Ceruleanstudios Trillian Pro 0 Ceruleanstudios Trillian 3.1.9 .0 Ceruleanstudios Trillian 3.1.0.9 Ceruleanstudios Trillian 0 Cerulean
|参考资料

来源:VUPEN
名称:ADV-2008-3348;PatchInformation
链接:http://www.frsirt.com/english/advisories/2008/3348
来源:XF
名称:trillian-xml-bo(47100)
链接:http://xforce.iss.net/xforce/xfdb/47100
来源:MISC
链接:http://www.zerodayinitiative.com/advisories/ZDI-08-079
来源:SECTRACK
名称:1021336
链接:http://www.securitytracker.com/id?1021336
来源:BID
名称:32645
链接:http://www.securityfocus.com/bid/32645
来源:BUGTRAQ
名称:20081205ZDI-08-079:TrillianAIMPluginMalformedXMLTagHeapOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/498936/100/0/threaded
来源:SREASON
名称:4702
链接:http://securityreason.com/securityalert/4702
来源:SECUNIA
名称:33001
链接:http://secunia.com/advisories/33001
来源:OSVDB
名称:50474
链接:http://osvdb.org/50474
来源:MISC
链接:http://blog.ceruleanstudios.com/?p=404