Re: [ADVISORY] AOL Instant Messenger DoS

[Tony Lambiris <methodic () slartibartfast angrypacket com>]

AIM for the Macintosh is not vulnerable as well.

On 10.03.01, Matthew Sachs <matthewg () zevils com> wrote:
> (Note: I wasn't going to release this until the 8th in order to give
> AOL some time to release a fix/workaround, but since exploit scripts
> have already been posted to bugtraq...)
>
> Scope:
>       Anyone who can send instant messages to a user signed on to
>       the AOL Instant Messenger service can crash that user's AOL
>       Instant Messenger.  The default settings allow everyone to
>       send the user messages.  This bug does not appear to be
>       exploitable for running arbitrary code.
> Confirmed Vulnerable:
>       AOL Instant Messenger/Win32 4.7.2480
>       AOL Instant Messenger/Win32 4.3.2229
> Confirmed Not Vulnerable:
>       aimirc (all versions)
>       AIM Express
>       QuickBuddy
>       AOL Instant Messenger/Linux 1.5.234
> Unknown:
>       All other AOL Instant Messenger clients
>
> Reported to AOL on October 1st, 2001.  No reply received.
>
> It is possible for any remote user to crash the AOL Instant Messenger for 
> Windows, at least version 4.7.2480.  The target user's visibility
> settings  must allow the exploiter to send him or her IMs.  When a
> message with the  text "<!-- " (without the quotes) is repeated
> approximately 640 or more  times, AIM crashes with the following
> error.
>       AIM caused in invalid page fault in module ATK32.DLL at 
> 015f:12023f63.
>       Registers:
>       EAX=00000000 CS=015f EIP=12023f63 EFLGS=00010246
>       EBX=0063ea94 SS=0167 ESP=0063e9dc EBP=0063ea24
>       ECX=0043dab0 DS=0167 ESI=0043051c FS=0e87
>       EDX=00000000 KS=0167 KDI=0063ea8c GS=0000
>       Bytes at CS:EIP:
>       83 78 28 00 74 08 c7 07 ff 7f 00 00 eb 06 8b 40
>       Stack dump:
>       00000000 0043051c 00000409 218f0004 8a120000
>       17df0b04 00010000 00000000 00000000 00000002
>       00000000 00000302 0000000c 00000001 0000000c
>       00000000
>
> Note that it does not appear to be possible to send this message from
> AOL's Windows AOL Instant Messenger client, both because it imposes
> tighter length restrictions than the OSCAR protocol mandates and
> because it will translate < into &lt;
>
> If the "Show 'Accept Message' dialog for messages from users not in Buddy 
> List" preference is turned on and the exploiter is not in the target's 
> buddylist, that dialog will appear and then AIM will immediately crash. If 
> that preference is not turned on or if the exploiter is in the target's 
> buddylist, an IM dialog will be created (if one does not already exist), 
> and then AIM will immediately crash.
>
> This bug is already being exploited in the wild.  It initially came to my 
> attention through a post to the vuln-dev () securityfocus com mailing list as 
> well as, simultaneously, in traffic observed in the AIM sessions of users 
> of my network.
>
> Suggested workaround:
>       If possible, modify your privacy settings so that only users
>       on your buddylist can contact you.  However, this still makes
>       it possible for people on your buddylist to use this
>       bug against you.  Until AOL releases a fix, the only other
>       option is to switch to a non-vulnerable client.
>       Alternatively, one can simply live with the occasional crash
>       and simply restart AOL Instant Messenger.  Of course,
>       malicious persons could set up scripts to automatically send
>       a crash-inducing message to the user as soon as he or she
>       signed on to the AOL Instant Messenger service.
>
> -- 
> Matthew Sachs, the original nonstandard deviant
> matthewg () zevils com        http://www.zevils.com/
> GPG key: 0x600A0342   PGP key: 0x93EA1151



-- 
Tony Lambiris [methodic () slartibartfast angrypacket com]
   http://www.openbsd.org && http://www.openssh.com
       "Anyone who truly understands the power 
         of UNIX wouldn't use anything else."