Re: Cross Platform remote IM vulnerability / DOS

["Gavin Hanover" <netmunky () gmail com>]

it's not sending back the same string at all. one starts with AAIC,
the other starts with AAIK and continues to be different.

it looks like it is simply using OTR plugin (available in both Adium and pidgin)
http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html

On 17 Aug 2007 19:04:27 -0000, Danslo () yahoo com <Danslo () yahoo com> wrote:
> Forewarning, this has not been thoroughly tested, but it has been tested on pidgin on several windows distros and on 
> mac os X running Adium client. The mac Adium client doesnt freeze up but is still vulnerable to the string and 
> repeats it back without the user seeing it occurring. Been very busy the last few years and dont have time to 
> followup or test this further, glad the list still exist, apologies for the incompleteness. Use at your own risk, and 
> please don't use to pester others!
>
>
> There is a string of characters which when entered into an AIM conversation window with another user will cause that 
> user to repeat the same string of characters back to you, at the least this could be used to eat up bandwidth. The 
> interesting thing about it is that when you send the instant message containing the string the other party doesnt see 
> that or their reply back to you containing the same string, its totally invisible on the screen, you could launch an 
> attack on someone and it doesnt open a popup IM box, transparent.
>
> ------------example--------------------
>
> userB: ok im going to send you the string, tell me if you receive anything in the im window.
> userB: userA: 
> ?OTR:AAICAAAAxLWYQllUFJTneF0uBhdCjKyvAbB/q2HvyEG8nBmUlztLw0xe4DD50osCo4sTkCaH082Ii3ZZzMvMZJ4QERXLBKdEGH3p5x6TAuAyoyNP6jfpfVideQCeSZgOfBwY82iFeGLDyof7HN+H8ADWOb/KmwjnKQ3PWNWVtrWe+njsuDkdCRZaRUvwggsz1VLsG41gz5CxYrxpwNPEbfelQMoy6rFASf1lKNFvhHkMzvhQnRb2gAP2cXSizEfPJVTEEuwBhK5BqaUAAAAgl5zLWoOI7lQKjTXF3AhbRJguHc/VVEjXuyX950Zdf9I=.
> userA: 
> ?OTR:AAIKAAAAwIJFBPsSOhCvqu9uZJUZP6qkbMaONxAhy/lF2n4AixoRc4xNlwkHSSSqO1x5OKwTUd/Nx/xCuCjcvq42dHFj2ajkZXUKRC8NbyZDuw+2DmQZaKZMkm2N0JY7sRAwcW+vkJ2uybdCqs6YXHLbhlvvxkWoiZFrz5LlHFPtIgQG9PL8Tr5bvk2jztm5vE0V0r/V5r7ePoYo7c1vzBr/R+TMthy78MCwO/9pqVN0LIsgZ1SyUiDhDHfRIvAg2IuLOfvknA==.
> userB: see anything after I said window?
> userA: no
> userA: nothing
> -----------------------------------------
>
> At the least this causes the other machine to send out more packets than the average user may have known of, with a 
> little thinking and just as much resources this could be used as a distributed denial of service attack.
>
> On the current version of pidgin when this was tested on several OS's it often froze up the targets IM window for the 
> duration of the attack and sometimes the entire system performance suffers. While the attack was being performed the 
> IM window is non-usable.
>
> Side info: if you add or replace characters from the string and send it, it will still work but the new characters 
> dont get repeated back the same in the string.
>
> Discovered by Dan Shinn <danslo () yahoo com>
> Testing by Rick Russel <noneck.net>


-- 
In God we trust,
Everyone else must have an x.509 certificate.