Hello, I wanted to give an update on the buffer overflow error in the AOL Instant Messenger client software that Robert Graham reported to BugTraq last week. Apparently AOL is using this buffer overflow error to determine if someone is running the AOL client software versus the Microsoft MSN Messenger client software. MSN Messenger users are then refused service on the AOL system. The buffer error is used as follows. During the AIM logon sequence, the AOL servers now send down a packet to a client machine with about 40 bytes of x86 code in it. This code gets executed by the client because the packet also exercises the buffer overflow bug. The downloaded code causes the client to send back a secret response to the AOL servers. If the servers don't see this response, they then bounce the user under the assumption the client software must be MSN Messenger. It only took Microsoft a few days to see what was going on and they have updated the MSN Messenger client software to recognize the special packet and response in the same manner as the AOL client. However, MSN isn't using a buffer overflow error to make this happen. Presumably with this buffer overflow error, AOL can download new x86 code in the future which generates different responses from the client. If this way, the can constantly stay a few days ahead of Microsoft in this game of "spy-vs-spy". Geoff Chappell has a done a detailed analysis of the AIM IM code and has located the actual bug. His write-up on the bug can be found at these two URLs: http://www.ozemail.com.au/~geoffch/security/aim/ http://www.ozemail.com.au/~geoffch/security/aim/preliminary.htm He also provides details on how the special AOL packet is executed by this buffer overflow error. On the AOL side of things, they continue to publicly deny anything is amiss here. In press articles they either claim there is no buffer overflow error in the client software or that they are not doing anything to compromise the security of their AIM customers. I respectively disagree. Buffer overflow exploits are very difficult to get right and small slip-ups can cause computers to crash. If AOL continues to play this game, they risk crashing customers PCs on a large scale down the road as they change the code which is executed by the client. It also makes me personally very queasy to know that there is network software on my computer that allows outsiders to silently download and run code. Buffer overflow errors should be fixed, not used! (As an aside, does anyone know of a previous case in which a computer vendor ever used a buffer overflow before? AOL actions here might be a first.) On the Microsoft side of things there is a bit of news also. This AOL buffer overflow story began two weeks ago when I received a message from a person claiming to be "Phil Bucking" from "Bucking Consulting". The message was sent via Yahoo Email and detailed what AOL was up to. "Phil" claimed he found out what is going on because he is also writing IM client. What "Phil" didn't realize is that Yahoo puts the originating IP address in the message headers. The IP address in his message traced back to a HTTP proxy server at Microsoft. This implied that the message came from inside of Microsoft. According to an article in InfoWorld on Friday, Microsoft has acknowledged that "Phil" is actually a Microsoft employee. Moral of the story: Don't use Web-based Email systems like Yahoo and Hotmail for anonymous Email! I am continuing to look at this issue myself. My AOL screen name is "buffover" if anyone wants to me add me to their buddy list. :-) I also very much would like to talk to a technical person at AOL about the exploit to hear their side of the story. Richard M. Smith
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:58:30 PDT