bfebc3fa5a
62 changes to exploits/shellcodes macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability' Peercast < 0.1211 - Format String Trillian Pro < 2.01 - Design Error dbPowerAmp < 2.0/10.0 - Buffer Overflow PsychoStats < 2.2.4 Beta - Cross Site Scripting MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution GitStack 2.3.10 - Unauthenticated Remote Code Execution Invision Power Top Site List < 2.0 Alpha 3 - SQL Injection (PoC) Invision Power Board (IP.Board) < 2.0 Alpha 3 - SQL Injection (PoC) Aardvark Topsites < 4.1.0 - Multiple Vulnerabilities DUWare Multiple Products - Multiple Vulnerabilities AutoRank PHP < 2.0.4 - SQL Injection (PoC) ASPapp Multiple Products - Multiple Vulnerabilities osCommerce < 2.2-MS2 - Multiple Vulnerabilities PostNuke < 0.726 Phoenix - Multiple Vulnerabilities MetaDot < 5.6.5.4b5 - Multiple Vulnerabilities phpGedView < 2.65 beta 5 - Multiple Vulnerabilities phpShop < 0.6.1-b - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3 - SQL Injection phpBB < 2.0.6d - Cross Site Scripting Phorum < 5.0.3 Beta - Cross Site Scripting vBulletin < 3.0.0 RC4 - Cross Site Scripting Mambo < 4.5 - Multiple Vulnerabilities phpBB < 2.0.7a - Multiple Vulnerabilities Invision Power Top Site List < 1.1 RC 2 - SQL Injection Invision Gallery < 1.0.1 - SQL Injection PhotoPost < 4.6 - Multiple Vulnerabilities TikiWiki < 1.8.1 - Multiple Vulnerabilities phpBugTracker < 0.9.1 - Multiple Vulnerabilities OpenBB < 1.0.6 - Multiple Vulnerabilities PHPX < 3.26 - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3.1 - Design Error HelpCenter Live! < 1.2.7 - Multiple Vulnerabilities LiveWorld Multiple Products - Cross Site Scripting WHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities PHP-Calendar < 0.10.1 - Arbitrary File Inclusion PhotoPost Classifieds < 2.01 - Multiple Vulnerabilities ReviewPost < 2.84 - Multiple Vulnerabilities PhotoPost < 4.85 - Multiple Vulnerabilities AZBB < 1.0.07d - Multiple Vulnerabilities Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities Burning Board < 2.3.1 - SQL Injection XOOPS < 2.0.11 - Multiple Vulnerabilities PEAR XML_RPC < 1.3.0 - Remote Code Execution PHPXMLRPC < 1.1 - Remote Code Execution SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite XPCOM - Race Condition ADOdb < 4.71 - Cross Site Scripting Geeklog < 1.4.0 - Multiple Vulnerabilities PEAR LiveUser < 0.16.8 - Arbitrary File Access Mambo < 4.5.3h - Multiple Vulnerabilities phpRPC < 0.7 - Remote Code Execution Gallery 2 < 2.0.2 - Multiple Vulnerabilities PHPLib < 7.4 - SQL Injection SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite CubeCart < 3.0.12 - Multiple Vulnerabilities Claroline < 1.7.7 - Arbitrary File Inclusion X-Cart < 4.1.3 - Arbitrary Variable Overwrite Mambo < 4.5.4 - SQL Injection Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities D-Link DNS-343 ShareCenter < 1.05 - Command Injection D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)
39 lines
No EOL
2.7 KiB
Text
39 lines
No EOL
2.7 KiB
Text
Trillian Pro Design Error
|
|
|
|
Vendor: Cerulean Studios
|
|
Product: Trillian Pro
|
|
Version: <= 2.01
|
|
Website: http://www.ceruleanstudios.com
|
|
|
|
|
|
Description:
|
|
Trillian is a multinetwork chat client that currently supports mIRC, AIM, ICQ, MSN, and Yahoo Messenger. It supports docking, multiline edit boxes, buddy alerts, multiple connections to the same medium, a powerful skinning language, easy importing of your existing contacts, skinnable emoticons, logging, global away/invisible features, and a unified contact list. It has a direct connection for AIM, support for user profiles, complete type formatting, buddy icons, proxy support, emotisounds, encrypted instant messaging to ICQ and AIM, AIM group chats, and shell extensions for file transfers.
|
|
|
|
Problem:
|
|
Lets say you use Trillian to connect to Yahoo Instant Messenger. By default Trillian will pop up a window telling you that your Yahoo email account has new mail (if and when it does) If you click the link provided in the window you will notice that first it takes you to a HTML page created on your hard drive, that then sends a requests to Yahoo to log you in. For example:
|
|
|
|
C:\Program Files\Trillian\users\default\cache\sfd0.html
|
|
|
|
And if you open up this file in any type of text editor or the like you will clearly see the credentials in plaintext.
|
|
|
|
<script>
|
|
<!--
|
|
var username;
|
|
username='plaintextusernamehere';
|
|
var password;
|
|
password='plaintextpasswordhere';
|
|
function submit () {
|
|
document.getElementById('login').value=username;
|
|
document.getElementById('passwd').value=password;
|
|
document.getElementById('login_form').submit();
|
|
};
|
|
//-->
|
|
</script>
|
|
|
|
I have not spent a great deal of time looking into this matter, as it is of little interest to me, but what I have noticed is that this file is not deleted until Trillian is shut down. In the case of abnormal program termination, such as a crash the file may still be there. This file can be accessed by lower level users in most cases, and totally leaves the Yahoo credentials open to theft. This may also be the case with other accounts etc, but like I said I have not looked into it much. Just wanted to make aware of this as a great number of people use Yahoo for money, and business purposes as well as personal use.
|
|
|
|
Solution:
|
|
I contacted Cerulean Studios a week or two ago about this, but I have not heard back from them at all. I would suggest not using this particular feature or shredding the temp file at best after logging in if you REALLY insist on using this feature. But that doesnt stop the credentials from being passed over the network in plaintext ... I imagine the guys at Cerulean Studios get swamped with emails, thus the no reply.
|
|
|
|
Credits:
|
|
James Bercegay of the GulfTech Security Research Team. |