Executive Summary

Summary
Title Cerulean Studios Trillian Instant Messenger fails to properly handle "UTF-8" sequences
Informations
Name VU#187033 First vendor Publication 2007-06-20
Vendor VU-CERT Last vendor Modification 2007-06-29
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#187033

Cerulean Studios Trillian Instant Messenger fails to properly handle "UTF-8" sequences

Overview

A vulnerability in Cerulean Studios Trillian Instant Messenger client may lead to execution of arbitrary code.

I. Description

Cerulean Studios Trillian Instant Messenger client fails to properly handle specially crafted UTF-8 text. A heap overflow may occur when Trillian receives a messages with malformed UTF-8 strings.

II. Impact

A remote, authenticated attacker may be able to execute arbitrary code with the privileges of the user or cause a denial-of-service condition by sending the client a message.

III. Solution

Update

Cerulean Studios has released an update to address this issue. See the Cerulean Studios Blog for more information.

Systems Affected

VendorStatusDate Updated
Cerulean StudiosVulnerable20-Jun-2007

References


http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=545
http://secunia.com/advisories/25736/
http://blog.ceruleanstudios.com/?p=150

Credit

This vulnerability was reported in iDefense Public Advisory 6.18.07. iDefense credits www.BlurredLogic.com with reporting this issue.

This document was written by Chris Taschner.

Other Information

Date Public06/18/2007
Date First Published06/20/2007 03:54:35 PM
Date Last Updated06/29/2007
CERT Advisory 
CVE NameCVE-2007-2478
Metric6.08
Document Revision10

Original Source

Url : http://www.kb.cert.org/vuls/id/187033

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 38
Application 7

Open Source Vulnerability Database (OSVDB)

Id Description
37446 Trillian UTF-8 String Word Wrap Remote Overflow
35721 Trillian Pro IRC Component UTF-8 String Handling Multiple Overflows

Nessus® Vulnerability Scanner

Date Description
2007-06-19 Name : The remote host contains an instant messaging application that is affected by...
File : trillian_3_1_6_0.nasl - Type : ACT_GATHER_INFO
2007-05-01 Name : The remote host contains an instant messaging application that is susceptible...
File : trillian_3_1_5_0.nasl - Type : ACT_GATHER_INFO