Re: Aol Instant Messenger DoS vulnerability

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

This is a summary of all the responses in this thread.

Please note that the bug will also crash the AIM program launching the
attack unless you use one of the not vulnerable versions or a non-AOL
client.

The bug does not seem to manifest itself in the chat room window. However,
if you insert a link that points to the character entity in its url it will
crash.

All entity characters in the range &#770-&#779 seems to produce some type
of error.

By all accounts AIM 3.5.1856 released on March 1 (the latest beta) for
Windows 95/98/NT fixes this problem.

Versions reported as affected:

Version         # of reports    Environment
2.0N            (1)
2.5.1366        (1)
2.5.1598        (2)
3.0.1470        (1)
3.5.1635        (1)
3.5.1670        (1)
3.5.1808        (2)
3.0N            (1)

Versions reported as not affected:

Version         # of reports    Environment
2.0.996         (1)
3.5.1713        (1)             (WinNT 4.0 SP6)
3.5.1775        (1)
3.5.1856        (3)

The fix provided by justcruzn () hotmail com only works for 3.5.1808.

Messages in reply to this thread:

"Derek J. Balling" <dredd () megacity org>:

Here's the results of some testing I did.

Version: 3.5.1775  .. immune
Version: 3.5.1856  .. immune
Version: 3.0N      .. susceptible

What specific 3.5 build did you try this on? It seems like it may be a bug
that is already corrected in the later betas....

"Lark Lizerman" <webmaster () doc2000 de>:

What is defined under "result in aim crashing completly or in part".
Does the process die? If yes, what sort of error?
Does the process become a zombie?

I have tried to reproduce the bug with no success.
The DLL file represented on your website is _exactly_ the same file as given
in version 3.5.1670. That is the latest available version.
That would mean that the versions above 3.5.1670 would not be affected.

"Jamal Hendershot" <science () bcity efingham k12 il us>:

Actually, &#771 and the semicolon (left out for those of you with HTML
e-mail readers) will never work.  The only strings that work are 2 + n * 2 ^
8.  You ommited the fact that the fix ONLY works for AIM 3.5.1808 clients so
all others should NOT attempt to use it.  You forgot to give proper credit
for this fix, which belongs to ad345.  AIM 3.5.1856 and higher versions are
unaffected by this bug.

Jim Stickley <jim () Garrison com>:

Actually this problem was already addressed in the beta version 3.5.  The
really nice thing though is that though you will no longer be crashed, AOL
still does not stop you from crashing others with older versions.

"Doug Jaquays" <jaquays () kalamazoo net>:

I appologize if someone has already said this, but the "fixed" .dll =
simply crashes AIM3.0.1415

rjmitchell () columbiaenergygroup com:

I have version 3.5.1713 installed on a NT Workstation 4.0 (sp6) machine, and
was unable to produce the results the author claimed.

"hi im cruz" <justcruzn () hotmail com>:

I recieved alot of email bout this exploit, most of them telling me
about versions vulnerable or not.
There were alot of oppositely emails about that, so i decided to
install the versions of AIM I could get my hands on and test them.
So this is what I got:
versions vulnerable:
2.5.1366
3.5.1598
3.5.1635
3.5.1670
3.5.1808
not vulnerable:
3.5.1856  from march 1st

So i still think all until 3.5.1856 are affected.

Furthermore, i forgot to state, that the fix on my homepage is for
3.5.1808 only, other versions will error with that dll.

Jamal Hendershot told me, that i should give someone called ad345
proper credit for the fix, ok if i knew where it is from i would
have already =).

He also told me that the strings, that work are calculated as follows:
2 + n * 2 ^ 8 but thats not exactly it, cause i found that e.g.
&#772; is working too.

abrinton () esurance com:

> From my informal testing, version 2.0.996 is immune to this bug.

"Kuji" <kuji () bogus net> :

Tested with version 3 AIM, no 'victim' DOS could be obtained but the string
crashed the AIM window each and every time on the 'attacker' box.
Curiously once tested, simply pasting into the message box kills the app
before it even shows up in the window.

DLL fix not working under W2K, AIM complains that ate32.dll is an invalid
dll and asks for miscui.ocm.

Scott Knight <SKnight () NetCentric com>:

It looks like version 2.0N of AIM is unaffected.

Jeffrey Kern <ryan () athenet net>:

I verified all aspects of this vulnerability on two versions of AIM
(2.0 and 3.5) both were effected and both instances are correct;
full AIM crash and single IM window crash.

However, then I downloaded your revised ate32.dll and in with both
versions AIM would not start and died with the error that it could
not find miscui.ocm Which was unmoved or changed in both cases. I
simply moved the old ate32.dll back into place and AIM was pleased.
I did not have time to debug your dll any further.

System Info:
Windows 95 4.00.950 B
AOL IM Version 2.0N
       Version 3.5.1598

Usman <akeju00 () ionaprep org>:

This also works on AIM 3.0, but I noticed that it doesn't work in the Chat
sessions when you just type that into the window. I assume the makers limited
how much HTML could actually be typed in...

HOWEVER,

If you *insert a link* that points to ">&#770; or ">&#771; , the Chat Room will
still crash AIM!
To reproduce:

1. Join or create a chat room.
2. Click the "link" button.
3. For the URL, put ">&#770; (crashes client) or ">&#771; (generally screws up
window.. looks like it inserts a fux0red screen shot). Put anything for the
text.
4. Click OK when the "Error" message comes up.
5. Send the text.

...and BOOM. This is VERY serious and can be used for *massive* DoS's. This was
tested on AIM 3.0.1470, and AOL has been notified.

"IU Uprising" <iuprising () hotmail com>:

AOL has had an official patch for at least 2 days when I got this message.
The patch can be downloaded from http://www.aol.com/aim/download.html

"Settle, Sean" <SeanSettle () alliantfs com>:

Actually if you (the attacker) close your AIM window after sending &#771 you
will recover from the error.  I tested this a few days back when my brother
was able to mysteriously crash AIM.  Only &#770-&#779 produce any type of
crash, all other &#### combinations produce actual extended characters.

This only affects the 3.x versions (up to the 3.5.1808 at least), certain
types of users have downgraded so they can crash remote users without
crashing themselves.  They have a new beta released March 01 (3.5.1856) but
all they mention are new features, not bug fixes.  I have not had the
opportunity to test the newer version at this time

"ryan dale" <dale () exo com>:

There is already an unofficial fix available, which can be downloaded at my
hompage: http://laugh.at/cruz
The fix is an edited ate32.dll, which should be copied to the aim directory.
With it, aim doesnt try to convert "&#XXX;"-type of strings anymore, a
minimum drawback (note: with that fix, the attacker can use this exploit to
crash other unfixed AIMs, but wont crash his/her own AIM).

Affected versions: I tested this only on 3.5+ versions of AIM, but all other
versions are most likely affected too.

  I believe on 3/1/00 AIM ver 3.5.1856 was released.  This bug does not
appear in this version.

"Justin Lintz" <jlintz () optonline net>:

I tested this under windows2000 and nothing happened, maybe because I have
the latest aim beta.  Anyone else get it to work under windows 2000?


--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/