AIM security vulnerability
Thread Starter
Registered User
Joined: Oct 2000
Posts: 2,584
Likes: 0
From: Mountain View
AIM security vulnerability
Personally I use trillian, but others who use the windows AIM client might wanna read this. I recieved it on the bugtraq mailing list.
DESCRIPTION
AOL Instant Messenger (AIM) has a major security vulnerability in the
latest stable (4.7.2480) and beta (4.8.2616) Windows versions. This
vulnerability will allow remote penetration of the victim's system
without any indication as to who performed the attack. There is no
opportunity to refuse the request. This does not affect the
non-Windows versions, because the non-Windows versions currently do
not yet support the feature that this vulnerability occurs in.
This particular vulnerability results from an overflow in the code
that parses a game request. The actual overflow appears to be in the
parsing of TLV type 0x2711. This may be more generic and exploitable
through other means, but AOL has not released enough information about
their protocol for us to be able to determine that. Robbie Saunder's
email yesterday should be enough of a hint which direction to look in.
We contacted the AOL Instant Messenger group but never received a
response. Normally we would be inclined to provide a fix, but it is
illegal to reverse engineer the AIM executable (DMCA and AIM's license
agreement to thank), so we are unable to provide a patch which will
modify it. Instead, we recommend Robbie Saunder's AIM Filter
(http://www.ssnbc.com/wiz/) to protect yourselves.
IMPLICATIONS
AOL Instant Messenger (http://www.aim.com) has over 100 million users.
We think that deserves repeating: 100 million users. Almost all of
these users are Windows users and directly vulnerable to this.
The first implication is that AOL should feel the weight of
responsibility and employ better software development practices. The
developers of a product with so many users should be much more
cautious and avoid overbloating with a multitude of features they
didn't have time to properly test in the first place.
Overall, though, the implications of this vulnerability are huge and
leave the door wide open for a worm not unlike those that Microsoft
(*cough* corporate monopoly *cough*) Outlook, IIS, et al. have all had
(Melissa, ILOVEYOU, CodeRed, nimda, etc.). An exploit could easily be
amended to download itself off the web, determine the buddies of the
victim, and then attack them also. Given the general nature of social
networks and how they are structured, we predict that it wouldn't take
long for such an attack to propagate.
To top everything off, the particular overflow described supra is
relatively simple to exploit. The payload can be several thousand bytes
long, which leaves lots of room for creative shellcode. In addition,
the shellcode can have null bytes in it, as long as the shellcode is
located after the offset to EIP in the shellcode. That is, the offset
to EIP is 1723 bytes into TLV type 0x2711. So if the shellcode is
located after offset 1726, null bytes can be left in.
DESCRIPTION
AOL Instant Messenger (AIM) has a major security vulnerability in the
latest stable (4.7.2480) and beta (4.8.2616) Windows versions. This
vulnerability will allow remote penetration of the victim's system
without any indication as to who performed the attack. There is no
opportunity to refuse the request. This does not affect the
non-Windows versions, because the non-Windows versions currently do
not yet support the feature that this vulnerability occurs in.
This particular vulnerability results from an overflow in the code
that parses a game request. The actual overflow appears to be in the
parsing of TLV type 0x2711. This may be more generic and exploitable
through other means, but AOL has not released enough information about
their protocol for us to be able to determine that. Robbie Saunder's
email yesterday should be enough of a hint which direction to look in.
We contacted the AOL Instant Messenger group but never received a
response. Normally we would be inclined to provide a fix, but it is
illegal to reverse engineer the AIM executable (DMCA and AIM's license
agreement to thank), so we are unable to provide a patch which will
modify it. Instead, we recommend Robbie Saunder's AIM Filter
(http://www.ssnbc.com/wiz/) to protect yourselves.
IMPLICATIONS
AOL Instant Messenger (http://www.aim.com) has over 100 million users.
We think that deserves repeating: 100 million users. Almost all of
these users are Windows users and directly vulnerable to this.
The first implication is that AOL should feel the weight of
responsibility and employ better software development practices. The
developers of a product with so many users should be much more
cautious and avoid overbloating with a multitude of features they
didn't have time to properly test in the first place.
Overall, though, the implications of this vulnerability are huge and
leave the door wide open for a worm not unlike those that Microsoft
(*cough* corporate monopoly *cough*) Outlook, IIS, et al. have all had
(Melissa, ILOVEYOU, CodeRed, nimda, etc.). An exploit could easily be
amended to download itself off the web, determine the buddies of the
victim, and then attack them also. Given the general nature of social
networks and how they are structured, we predict that it wouldn't take
long for such an attack to propagate.
To top everything off, the particular overflow described supra is
relatively simple to exploit. The payload can be several thousand bytes
long, which leaves lots of room for creative shellcode. In addition,
the shellcode can have null bytes in it, as long as the shellcode is
located after the offset to EIP in the shellcode. That is, the offset
to EIP is 1723 bytes into TLV type 0x2711. So if the shellcode is
located after offset 1726, null bytes can be left in.
Former Sponsor
Joined: Oct 2000
Posts: 9,081
Likes: 0
Originally posted by Schatten
glad I use trillian as well.
Muz- trillian integrates all the IM clients (MSN, Yahoo, ICQ, AIM, & IRC) into one app and from my experience doesn't use as many resources.
glad I use trillian as well.
Muz- trillian integrates all the IM clients (MSN, Yahoo, ICQ, AIM, & IRC) into one app and from my experience doesn't use as many resources.
Registered User
Joined: Jan 2001
Posts: 6,455
Likes: 0
From: Glendale/Burbank/LA
For once in my life, I'm proud to say that I have the real deal, AOL 6.0, instead of AIM :-) But still, this is pretty bad news! Hopefully not many of the 100 million AIM users have upgraded to this latest version?
Trending Topics
Registered User
Joined: Apr 2001
Posts: 1,891
Likes: 0
From: Poconos
Why can't they just make the programs more stable than cram a bunch of extras you'll rarely use!? I wish I never bought windows XP - What a waste of time (3 hours to fix the "issues" installing it) and basically nothing gained over ME.
