RE: Trillian Messaging Software

From: Don Weber (Donat_private)
Date: Wed Jun 05 2002 - 12:54:16 PDT

  • Next message: Richard M. Conlan: "RE: Trillian Messaging Software"

    we use it here primarily for the ability it provides in secure messages over
    icq and one of the others it supports, as far as security, it does i blv,
    store passwords and the like in the registry and other text files, here's an
    old post i just found again related to trillion. but I'd think personally,
    if someone can get to this, your already in trouble
    
    Trillian has a system that creates .ini files for connecting to the
    respective messenger services such as MSN,Yahoo,IRC,etc...which it stores in
    the users' directory.For example-the settings of a particular user are
    stored in his default user's directory.For connecting to MSN there is a file
    called msn.ini.For Yahoo...there is yahoo.ini.And so on...These files
    include the details of that user such as his email id to connect to that
    service,his contact list,display options,and all that stuff.
    But one thing that seems particularly interesting is that...it stores
    the password to the service in an elementary encrypted format.
    Trillian does not forbid access to any user's .ini files in any manner.
    That leaves a huge security hole in the whole system.Anybody can just copy
    and paste the "Profile" of the person to his own msn.ini file and gain full
    access to the victim's respective service.Also the masked password appears
    in the connection manager field which can be easily unmasked using a
    password revealer like Cain.Thus revealing the password of that person.So
    all you need to do is just gain access to the victim's .ini files in the
    Trillian>>Users>>Victim folder and the work is done.
    The .ini file looks like this......
    for example.....for msn service
    
    [msn]
    auto reconnect=1
    save passwords=1
    idle time=15
    show buddy status=1
    port=1863
    server=messenger.hotmail.com
    last msn=VICTIMat_private
    connect num=10
    connect sec=60
    save status=1
    auto hotmail=1
    ft port=6891
    /*Profile starts*/
    [profile 0]
    name=VICTIM'S EMAIL ADDRESSat_private
    password=8B62F3F10AE39DE413E42 /*THIS IS THE ENCRYPTED PASSWORD*/
    display name=DISPLAY NAME OF THE VICTIM
    auto connect=1
    status=1
    /*Profile Ends*/
    reverse0=CONTACT XXXat_private
    reverse1=CONTACT YYYat_private
    reverse2=CONTACT ZZZat_private
    
    so all you need to do....create a new trillian account....and connect once
    to the MSN or yahoo etc. service using ur own msn or yahoo account.So you
    will have your own profile in the .ini file.Now just replace your own
    profile in your own .ini file with the victim's and save the file.Just run
    the .ini file once to make sure that the settings have applied to your own
    account.Now restart Trillian and logon to your own account.The victim's
    settings will be there in your connection manager.You can now connect to the
    service thru the victims account or unmask the password.
    
    
    -----Original Message-----
    From: rogue [mailto:rogueat_private]
    Sent: Wednesday, June 05, 2002 9:10 AM
    To: vuln-devat_private
    Cc: security-basicsat_private
    Subject: Trillian Messaging Software
    
    
    A bunch of users on my Win2k network are asking to install trillian
    messaging software on their workstations because it allows messaging
    across several systems (AIM, yahoo messenger, ICQ, etc) and i was
    wondering if anyone has been here has been using it and if there are any
    security issues which have surfaced before allowing this software on my
    network. Thanks all!
    
    
    
    --
    ==================
    rogueat_private
           	     {\o0|
    ==================
    



    This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 13:53:39 PDT