[25214] in bugtraq
AIM Remote File Transfer/Direct Connection Vulnerability
daemon@ATHENA.MIT.EDU (Sil)
Tue Apr 23 00:05:46 2002
Date: 21 Apr 2002 00:18:57 -0000
Message-ID: <20020421001857.29654.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Sil <sil@linuxquestions.net>
To: bugtraq@securityfocus.com
AIM Remote File Transfer/Direct Connection
Vulnerability
I Discovered this vulnerability while I was port
scanning my brother(April 15th, 2002), he just
happened to send me a file and the port scan
connected and received the file instead of me... The
next day(April 16th, 2002) I made a program to exploit
the vulnerability. This is how the vulnerability works....
When AIM gets a connection request or tries to
connect to someone else it acts as a server, the
program I made rapidly tries to connect to the target
IP(every 450 milliseconds) on port 4443(Direct
Connection) and 5190(File Transfer) it then intercepts
the connection and steals whatever data the target
sends, they can receive text from their "friends" but
they cannot send it because all data they send gets
sent to you, I don't know the Oscar protocol, but I'm
sure that if you where to use it, you could send text
back to the IM as the "friend" or maybe as a fake
screen name, this could be used to trick the person
into giving you passwords or personal information,
even if the person just happened to send something
like "passwords.txt" to their "friend", you now have
those passwords.
The fix:
I think a fix would be simple, have AIM only connect to
the IP of the person they are trying to connect to
which would be retrieved by the AIM server(s), I
wouldn't doubt there being ways to exploit this
also..but it's a start.
A temporary way to protect from the file transfer spy
would be to change the port in the AIM preferences
dialog for file transfer to something other than 5190, it
would be pretty hard for someone to guess what port
you changed it to.
Data you could potentially "steal":
pictures, files, text, passwords, movies, personal
information, etc...
Well that concludes this article..., if you have any
questions or comments please feel free to contact
me.
(One last note: I am still fixing bugs and trying
different things with the program, but when I am
happy with it, I will post it on my site, it is called
RAFTS which stands for Remote AIM File Transfer
Spy)
-Joseph Musso a.k.a. Sil
www.silenttech.com
aim screen name: xlsillx
email: sil@linuxquestions.net
