Cross Platform remote IM vulnerability / DOS

[Danslo () yahoo com]

Forewarning, this has not been thoroughly tested, but it has been tested on pidgin on several windows distros and on 
mac os X running Adium client. The mac Adium client doesnt freeze up but is still vulnerable to the string and repeats 
it back without the user seeing it occurring. Been very busy the last few years and dont have time to followup or test 
this further, glad the list still exist, apologies for the incompleteness. Use at your own risk, and please don't use 
to pester others!


There is a string of characters which when entered into an AIM conversation window with another user will cause that 
user to repeat the same string of characters back to you, at the least this could be used to eat up bandwidth. The 
interesting thing about it is that when you send the instant message containing the string the other party doesnt see 
that or their reply back to you containing the same string, its totally invisible on the screen, you could launch an 
attack on someone and it doesnt open a popup IM box, transparent.

------------example--------------------

userB: ok im going to send you the string, tell me if you receive anything in the im window.
userB: userA: 
?OTR:AAICAAAAxLWYQllUFJTneF0uBhdCjKyvAbB/q2HvyEG8nBmUlztLw0xe4DD50osCo4sTkCaH082Ii3ZZzMvMZJ4QERXLBKdEGH3p5x6TAuAyoyNP6jfpfVideQCeSZgOfBwY82iFeGLDyof7HN+H8ADWOb/KmwjnKQ3PWNWVtrWe+njsuDkdCRZaRUvwggsz1VLsG41gz5CxYrxpwNPEbfelQMoy6rFASf1lKNFvhHkMzvhQnRb2gAP2cXSizEfPJVTEEuwBhK5BqaUAAAAgl5zLWoOI7lQKjTXF3AhbRJguHc/VVEjXuyX950Zdf9I=.
userA: 
?OTR:AAIKAAAAwIJFBPsSOhCvqu9uZJUZP6qkbMaONxAhy/lF2n4AixoRc4xNlwkHSSSqO1x5OKwTUd/Nx/xCuCjcvq42dHFj2ajkZXUKRC8NbyZDuw+2DmQZaKZMkm2N0JY7sRAwcW+vkJ2uybdCqs6YXHLbhlvvxkWoiZFrz5LlHFPtIgQG9PL8Tr5bvk2jztm5vE0V0r/V5r7ePoYo7c1vzBr/R+TMthy78MCwO/9pqVN0LIsgZ1SyUiDhDHfRIvAg2IuLOfvknA==.
userB: see anything after I said window?
userA: no
userA: nothing
-----------------------------------------

At the least this causes the other machine to send out more packets than the average user may have known of, with a 
little thinking and just as much resources this could be used as a distributed denial of service attack.

On the current version of pidgin when this was tested on several OS's it often froze up the targets IM window for the 
duration of the attack and sometimes the entire system performance suffers. While the attack was being performed the IM 
window is non-usable.

Side info: if you add or replace characters from the string and send it, it will still work but the new characters dont 
get repeated back the same in the string.

Discovered by Dan Shinn <danslo () yahoo com>
Testing by Rick Russel <noneck.net>