SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   AOL Instant Messenger Vendors:   America Online, Inc.
AOL Instant Messenger (AIM) Can Be Crashed by Remote Users
SecurityTracker Alert ID:  1002506
SecurityTracker URL:  http://securitytracker.com/id/1002506
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 8 2001
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): AOL Instant Messenger/Win32 4.7.2480; earlier versions
Description:   A denial of service vulnerability has been reported in AOL Instant Messenger (AIM). A remote user that can send instant messages to a target AIM user can cause the target user's AIM application to crash.

A remote user can send a message containing the text "<!-- " (without the quotes) approximately 640 or more times to cause the recipient's AIM to crash with the following error:

AIM caused in invalid page fault in module ATK32.DLL at 015f:12023f63.
Registers:
EAX=00000000 CS=015f EIP=12023f63 EFLGS=00010246
EBX=0063ea94 SS=0167 ESP=0063e9dc EBP=0063ea24
ECX=0043dab0 DS=0167 ESI=0043051c FS=0e87
EDX=00000000 KS=0167 KDI=0063ea8c GS=0000
Bytes at CS:EIP:
83 78 28 00 74 08 c7 07 ff 7f 00 00 eb 06 8b 40
Stack dump:
00000000 0043051c 00000409 218f0004 8a120000
17df0b04 00010000 00000000 00000000 00000002
00000000 00000302 0000000c 00000001 0000000c
00000000

The default configuration of AIM apparently allows all instant messaging users to send a message.

This vulnerability reportedly affects all of AOL's versions of AIM for Win32 and all versions of Netscape's AIM, with the exception of the AIM program included with Netscape 6.1.

This vulnerability also reportedly affects gAIM, but only when the user is connected to gAIM via the Oscar protocol.

It is reported that the following implementations are not vulnerable:

aimirc (all versions)
AIM Express
QuickBuddy
AOL Instant Messenger/Linux 1.5.234
Mac clients
AOL's Java client
Clients that connect via the TOC protocol (e.g., TiK, miniTiK, tnt, jaim, jam).

The vendor has reportedly been notified.

Impact:   A remote user with the ability to send instant messages to an AIM user can cause the recipient's AIM application to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.aol.com/aim/homenew.adp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Exploit Code is Available) Re: AOL Instant Messenger (AIM) Can Be Crashed by Remote Users
A user has posted exploit code.



 Source Message Contents

Subject:  [ADVISORY] AOL Instant Messenger DoS



--liOOAslEiF7prFVr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            

(Note: I wasn't going to release this until the 8th in order to give
AOL some time to release a fix/workaround, but since exploit scripts
have already been posted to bugtraq...)

Scope:
	Anyone who can send instant messages to a user signed on to
	the AOL Instant Messenger service can crash that user's AOL
	Instant Messenger.  The default settings allow everyone to
	send the user messages.  This bug does not appear to be
	exploitable for running arbitrary code.
Confirmed Vulnerable:
	AOL Instant Messenger/Win32 4.7.2480
	AOL Instant Messenger/Win32 4.3.2229
Confirmed Not Vulnerable:
	aimirc (all versions)
	AIM Express
	QuickBuddy
	AOL Instant Messenger/Linux 1.5.234
Unknown:
	All other AOL Instant Messenger clients

Reported to AOL on October 1st, 2001.  No reply received.

It is possible for any remote user to crash the AOL Instant Messenger for 
Windows, at least version 4.7.2480.  The target user's visibility
settings  must allow the exploiter to send him or her IMs.  When a
message with the  text "<!-- " (without the quotes) is repeated
approximately 640 or more  times, AIM crashes with the following
error.
	AIM caused in invalid page fault in module ATK32.DLL at 
015f:12023f63.
	Registers:
	EAX=00000000 CS=015f EIP=12023f63 EFLGS=00010246
	EBX=0063ea94 SS=0167 ESP=0063e9dc EBP=0063ea24
	ECX=0043dab0 DS=0167 ESI=0043051c FS=0e87
	EDX=00000000 KS=0167 KDI=0063ea8c GS=0000
	Bytes at CS:EIP:
	83 78 28 00 74 08 c7 07 ff 7f 00 00 eb 06 8b 40
	Stack dump:
	00000000 0043051c 00000409 218f0004 8a120000
	17df0b04 00010000 00000000 00000000 00000002
	00000000 00000302 0000000c 00000001 0000000c
	00000000

Note that it does not appear to be possible to send this message from
AOL's Windows AOL Instant Messenger client, both because it imposes
tighter length restrictions than the OSCAR protocol mandates and
because it will translate < into &lt;

If the "Show 'Accept Message' dialog for messages from users not in Buddy 
List" preference is turned on and the exploiter is not in the target's 
buddylist, that dialog will appear and then AIM will immediately crash. If 
that preference is not turned on or if the exploiter is in the target's 
buddylist, an IM dialog will be created (if one does not already exist), 
and then AIM will immediately crash.

This bug is already being exploited in the wild.  It initially came to my 
attention through a post to the vuln-dev@securityfocus.com mailing list as 
well as, simultaneously, in traffic observed in the AIM sessions of users 
of my network.

Suggested workaround:
	If possible, modify your privacy settings so that only users
	on your buddylist can contact you.  However, this still makes
	it possible for people on your buddylist to use this
	bug against you.  Until AOL releases a fix, the only other
	option is to switch to a non-vulnerable client.
	Alternatively, one can simply live with the occasional crash
	and simply restart AOL Instant Messenger.  Of course,
	malicious persons could set up scripts to automatically send
	a crash-inducing message to the user as soon as he or she
	signed on to the AOL Instant Messenger service.

-- 
Matthew Sachs, the original nonstandard deviant
matthewg@zevils.com	http://www.zevils.com/
GPG key: 0x600A0342	PGP key: 0x93EA1151

--liOOAslEiF7prFVr
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE7u0zglocTNGAKA0IRAu58AKC8mhAYLxYwxJg7JmefNidiqhnBggCeIVVe
mu0OCVmM7exhMWy4Iv0c7a4=
=oBwj
-----END PGP SIGNATURE-----

--liOOAslEiF7prFVr--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC