Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AIM Exploits

From: "VeNoMouS" <venom () phreaker net>
Date: Sun, 7 Oct 2001 17:34:50 +1300
becos your talking bout sending a lot of font requests , which is basicly
<!--
if you think bout it, hell it could be XXXXXX for all it cares, its a bof
(buffer overflow) on its input by the looks of things
----- Original Message -----
From: First Last <ihost () excite com>
To: VeNoMouS <venom () phreaker net>; <vuln-dev () securityfocus com>
Sent: Sunday, October 07, 2001 5:13 PM
Subject: Re: AIM Exploits



how is the font crash anything like the <!-- exploit, besides the fact

that

it uses html? maybe you misunderstood, after you overload the font buffer
aim uses, sending a horizontal line will crash the client...

On Sun, 7 Oct 2001 16:12:11 +1300, VeNoMouS wrote:

  i dont think your very clued on anything here my friend,

  > 1) Font Crash: windows aim stores recent font
  > names for instant messages, and i found that by
  > sending a lot of different fonts causes aim to pop up
  > with a font error, and after messing around i
  > discovered that lines "<HR>" crash the client (and in
  > some cases the OS) after the error has popped up,
  > making for a neat little crash if you send a few
  > hundred fonts with a horizontal line tacked on the end
  > =)

  this here sounds like the dos we have been talking about except its just
<--
  its a bof just like the line below


  > 2) File Crash: i'm not quite sure why this crashes the
  > client, but if you send a file with a very large filename,
  > the client crashes, and just closes on any nt based
  > OS
  well oviously they are coping the filename to an array which is only a
  certain size, its a simple out of bounds overflow

  ----- Original Message -----
  From: Robbie Saunders <ihost () excite com>
  To: <vuln-dev () securityfocus com>
  Sent: Sunday, October 07, 2001 8:07 AM
  Subject: AIM Exploits


  > as a starter i'd like to correct some information about
  > the comment crash, the reason you can't paste it is
  > because it crashes the client, not because it's too
  > big... if it was too big you wouldn't be able to send it
  > an im. and it's been on aim filter and used by your
  > average aim user since early august
  >
  > the following exploits were found and implemented by
  > Robbie Saunders, although i believe the file crash
  > was used before me by `CodeDreamer`
  >
  > 3 other exploits:
  > 1) Font Crash: windows aim stores recent font
  > names for instant messages, and i found that by
  > sending a lot of different fonts causes aim to pop up
  > with a font error, and after messing around i
  > discovered that lines "<HR>" crash the client (and in
  > some cases the OS) after the error has popped up,
  > making for a neat little crash if you send a few
  > hundred fonts with a horizontal line tacked on the end
  > =)
  >
  > 2) File Crash: i'm not quite sure why this crashes the
  > client, but if you send a file with a very large filename,
  > the client crashes, and just closes on any nt based
  > OS
  >
  > 3) Icon Crash: aim doesn't check incoming buddy
  > icons to be under a certain height or width, so you
  > can send an edited .gif file that may be 1k but claims
  > to be very large (such as 10000x10000) and end up
  > freezing the aim client for a large period of time, and
  > on slow computers cause serious memory issues... i
  > have tested with larger values (like 65kx65k) but it
  > appears aim will pop up a memory buffer error
  > instead of crashing... and apparently sending corrupt
  > wav files will crash the client in the same manner
  >
  > If you're on windows you can use the software i
  > created to exploit these bugs (AIM Filter), it can be
  > found at http://www.ssnbc.com/wiz/ in software>aim
  >
  > aim filter is a local proxy that acts as both a server
  > and client, meaning you can implement the
  > crashes/features no matter what aim client you're on
  > (and it's easy to use too, just type commands like
  > aim.file.crash)






_______________________________________________________
http://inbox.excite.com
Previous By Date Next
Previous By Thread Next

Current thread: