we use it here primarily for the ability it provides in secure messages over icq and one of the others it supports, as far as security, it does i blv, store passwords and the like in the registry and other text files, here's an old post i just found again related to trillion. but I'd think personally, if someone can get to this, your already in trouble Trillian has a system that creates .ini files for connecting to the respective messenger services such as MSN,Yahoo,IRC,etc...which it stores in the users' directory.For example-the settings of a particular user are stored in his default user's directory.For connecting to MSN there is a file called msn.ini.For Yahoo...there is yahoo.ini.And so on...These files include the details of that user such as his email id to connect to that service,his contact list,display options,and all that stuff. But one thing that seems particularly interesting is that...it stores the password to the service in an elementary encrypted format. Trillian does not forbid access to any user's .ini files in any manner. That leaves a huge security hole in the whole system.Anybody can just copy and paste the "Profile" of the person to his own msn.ini file and gain full access to the victim's respective service.Also the masked password appears in the connection manager field which can be easily unmasked using a password revealer like Cain.Thus revealing the password of that person.So all you need to do is just gain access to the victim's .ini files in the Trillian>>Users>>Victim folder and the work is done. The .ini file looks like this...... for example.....for msn service [msn] auto reconnect=1 save passwords=1 idle time=15 show buddy status=1 port=1863 server=messenger.hotmail.com last msn=VICTIMat_private connect num=10 connect sec=60 save status=1 auto hotmail=1 ft port=6891 /*Profile starts*/ [profile 0] name=VICTIM'S EMAIL ADDRESSat_private password=8B62F3F10AE39DE413E42 /*THIS IS THE ENCRYPTED PASSWORD*/ display name=DISPLAY NAME OF THE VICTIM auto connect=1 status=1 /*Profile Ends*/ reverse0=CONTACT XXXat_private reverse1=CONTACT YYYat_private reverse2=CONTACT ZZZat_private so all you need to do....create a new trillian account....and connect once to the MSN or yahoo etc. service using ur own msn or yahoo account.So you will have your own profile in the .ini file.Now just replace your own profile in your own .ini file with the victim's and save the file.Just run the .ini file once to make sure that the settings have applied to your own account.Now restart Trillian and logon to your own account.The victim's settings will be there in your connection manager.You can now connect to the service thru the victims account or unmask the password. -----Original Message----- From: rogue [mailto:rogueat_private] Sent: Wednesday, June 05, 2002 9:10 AM To: vuln-devat_private Cc: security-basicsat_private Subject: Trillian Messaging Software A bunch of users on my Win2k network are asking to install trillian messaging software on their workstations because it allows messaging across several systems (AIM, yahoo messenger, ICQ, etc) and i was wondering if anyone has been here has been using it and if there are any security issues which have surfaced before allowing this software on my network. Thanks all! -- ================== rogueat_private {\o0| ==================
This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 13:53:39 PDT