[22778] in bugtraq
[ADVISORY] AOL Instant Messenger DoS
daemon@ATHENA.MIT.EDU (Matthew Sachs)
Wed Oct 3 15:56:11 2001
Date: Wed, 3 Oct 2001 13:37:36 -0400
From: Matthew Sachs <matthewg@zevils.com>
To: bugtraq@securityfocus.com
Cc: vuln-dev@securityfocus.com, bugs@securitytracker.com
Message-ID: <20011003133736.A22429@zevils.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr"
Content-Disposition: inline
--liOOAslEiF7prFVr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
(Note: I wasn't going to release this until the 8th in order to give
AOL some time to release a fix/workaround, but since exploit scripts
have already been posted to bugtraq...)
Scope:
Anyone who can send instant messages to a user signed on to
the AOL Instant Messenger service can crash that user's AOL
Instant Messenger. The default settings allow everyone to
send the user messages. This bug does not appear to be
exploitable for running arbitrary code.
Confirmed Vulnerable:
AOL Instant Messenger/Win32 4.7.2480
AOL Instant Messenger/Win32 4.3.2229
Confirmed Not Vulnerable:
aimirc (all versions)
AIM Express
QuickBuddy
AOL Instant Messenger/Linux 1.5.234
Unknown:
All other AOL Instant Messenger clients
Reported to AOL on October 1st, 2001. No reply received.
It is possible for any remote user to crash the AOL Instant Messenger for=
=20
Windows, at least version 4.7.2480. The target user's visibility
settings must allow the exploiter to send him or her IMs. When a
message with the text "<!-- " (without the quotes) is repeated
approximately 640 or more times, AIM crashes with the following
error.
AIM caused in invalid page fault in module ATK32.DLL at=20
015f:12023f63.
Registers:
EAX=3D00000000 CS=3D015f EIP=3D12023f63 EFLGS=3D00010246
EBX=3D0063ea94 SS=3D0167 ESP=3D0063e9dc EBP=3D0063ea24
ECX=3D0043dab0 DS=3D0167 ESI=3D0043051c FS=3D0e87
EDX=3D00000000 KS=3D0167 KDI=3D0063ea8c GS=3D0000
Bytes at CS:EIP:
83 78 28 00 74 08 c7 07 ff 7f 00 00 eb 06 8b 40
Stack dump:
00000000 0043051c 00000409 218f0004 8a120000
17df0b04 00010000 00000000 00000000 00000002
00000000 00000302 0000000c 00000001 0000000c
00000000
Note that it does not appear to be possible to send this message from
AOL's Windows AOL Instant Messenger client, both because it imposes
tighter length restrictions than the OSCAR protocol mandates and
because it will translate < into <
If the "Show 'Accept Message' dialog for messages from users not in Buddy=
=20
List" preference is turned on and the exploiter is not in the target's=20
buddylist, that dialog will appear and then AIM will immediately crash. If=
=20
that preference is not turned on or if the exploiter is in the target's=20
buddylist, an IM dialog will be created (if one does not already exist),=20
and then AIM will immediately crash.
This bug is already being exploited in the wild. It initially came to my=
=20
attention through a post to the vuln-dev@securityfocus.com mailing list as=
=20
well as, simultaneously, in traffic observed in the AIM sessions of users=
=20
of my network.
Suggested workaround:
If possible, modify your privacy settings so that only users
on your buddylist can contact you. However, this still makes
it possible for people on your buddylist to use this
bug against you. Until AOL releases a fix, the only other
option is to switch to a non-vulnerable client.
Alternatively, one can simply live with the occasional crash
and simply restart AOL Instant Messenger. Of course,
malicious persons could set up scripts to automatically send
a crash-inducing message to the user as soon as he or she
signed on to the AOL Instant Messenger service.
--=20
Matthew Sachs, the original nonstandard deviant
matthewg@zevils.com http://www.zevils.com/
GPG key: 0x600A0342 PGP key: 0x93EA1151
--liOOAslEiF7prFVr
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
iD8DBQE7u0zglocTNGAKA0IRAu58AKC8mhAYLxYwxJg7JmefNidiqhnBggCeIVVe
mu0OCVmM7exhMWy4Iv0c7a4=
=oBwj
-----END PGP SIGNATURE-----
--liOOAslEiF7prFVr--
