This is a summary of all the responses in this thread. Please note that the bug will also crash the AIM program launching the attack unless you use one of the not vulnerable versions or a non-AOL client. The bug does not seem to manifest itself in the chat room window. However, if you insert a link that points to the character entity in its url it will crash. All entity characters in the range ̂-̋ seems to produce some type of error. By all accounts AIM 3.5.1856 released on March 1 (the latest beta) for Windows 95/98/NT fixes this problem. Versions reported as affected: Version # of reports Environment 2.0N (1) 2.5.1366 (1) 2.5.1598 (2) 3.0.1470 (1) 3.5.1635 (1) 3.5.1670 (1) 3.5.1808 (2) 3.0N (1) Versions reported as not affected: Version # of reports Environment 2.0.996 (1) 3.5.1713 (1) (WinNT 4.0 SP6) 3.5.1775 (1) 3.5.1856 (3) The fix provided by justcruznat_private only works for 3.5.1808. Messages in reply to this thread: "Derek J. Balling" <dreddat_private>: Here's the results of some testing I did. Version: 3.5.1775 .. immune Version: 3.5.1856 .. immune Version: 3.0N .. susceptible What specific 3.5 build did you try this on? It seems like it may be a bug that is already corrected in the later betas.... "Lark Lizerman" <webmasterat_private>: What is defined under "result in aim crashing completly or in part". Does the process die? If yes, what sort of error? Does the process become a zombie? I have tried to reproduce the bug with no success. The DLL file represented on your website is _exactly_ the same file as given in version 3.5.1670. That is the latest available version. That would mean that the versions above 3.5.1670 would not be affected. "Jamal Hendershot" <scienceat_private>: Actually, ̃ and the semicolon (left out for those of you with HTML e-mail readers) will never work. The only strings that work are 2 + n * 2 ^ 8. You ommited the fact that the fix ONLY works for AIM 3.5.1808 clients so all others should NOT attempt to use it. You forgot to give proper credit for this fix, which belongs to ad345. AIM 3.5.1856 and higher versions are unaffected by this bug. Jim Stickley <jimat_private>: Actually this problem was already addressed in the beta version 3.5. The really nice thing though is that though you will no longer be crashed, AOL still does not stop you from crashing others with older versions. "Doug Jaquays" <jaquaysat_private>: I appologize if someone has already said this, but the "fixed" .dll = simply crashes AIM3.0.1415 rjmitchellat_private: I have version 3.5.1713 installed on a NT Workstation 4.0 (sp6) machine, and was unable to produce the results the author claimed. "hi im cruz" <justcruznat_private>: I recieved alot of email bout this exploit, most of them telling me about versions vulnerable or not. There were alot of oppositely emails about that, so i decided to install the versions of AIM I could get my hands on and test them. So this is what I got: versions vulnerable: 2.5.1366 3.5.1598 3.5.1635 3.5.1670 3.5.1808 not vulnerable: 3.5.1856 from march 1st So i still think all until 3.5.1856 are affected. Furthermore, i forgot to state, that the fix on my homepage is for 3.5.1808 only, other versions will error with that dll. Jamal Hendershot told me, that i should give someone called ad345 proper credit for the fix, ok if i knew where it is from i would have already =). He also told me that the strings, that work are calculated as follows: 2 + n * 2 ^ 8 but thats not exactly it, cause i found that e.g. ̄ is working too. abrintonat_private: >From my informal testing, version 2.0.996 is immune to this bug. "Kuji" <kujiat_private> : Tested with version 3 AIM, no 'victim' DOS could be obtained but the string crashed the AIM window each and every time on the 'attacker' box. Curiously once tested, simply pasting into the message box kills the app before it even shows up in the window. DLL fix not working under W2K, AIM complains that ate32.dll is an invalid dll and asks for miscui.ocm. Scott Knight <SKnightat_private>: It looks like version 2.0N of AIM is unaffected. Jeffrey Kern <ryanat_private>: I verified all aspects of this vulnerability on two versions of AIM (2.0 and 3.5) both were effected and both instances are correct; full AIM crash and single IM window crash. However, then I downloaded your revised ate32.dll and in with both versions AIM would not start and died with the error that it could not find miscui.ocm Which was unmoved or changed in both cases. I simply moved the old ate32.dll back into place and AIM was pleased. I did not have time to debug your dll any further. System Info: Windows 95 4.00.950 B AOL IM Version 2.0N Version 3.5.1598 Usman <akeju00at_private>: This also works on AIM 3.0, but I noticed that it doesn't work in the Chat sessions when you just type that into the window. I assume the makers limited how much HTML could actually be typed in... HOWEVER, If you *insert a link* that points to ">̂ or ">̃ , the Chat Room will still crash AIM! To reproduce: 1. Join or create a chat room. 2. Click the "link" button. 3. For the URL, put ">̂ (crashes client) or ">̃ (generally screws up window.. looks like it inserts a fux0red screen shot). Put anything for the text. 4. Click OK when the "Error" message comes up. 5. Send the text. ...and BOOM. This is VERY serious and can be used for *massive* DoS's. This was tested on AIM 3.0.1470, and AOL has been notified. "IU Uprising" <iuprisingat_private>: AOL has had an official patch for at least 2 days when I got this message. The patch can be downloaded from http://www.aol.com/aim/download.html "Settle, Sean" <SeanSettleat_private>: Actually if you (the attacker) close your AIM window after sending ̃ you will recover from the error. I tested this a few days back when my brother was able to mysteriously crash AIM. Only ̂-̋ produce any type of crash, all other &#### combinations produce actual extended characters. This only affects the 3.x versions (up to the 3.5.1808 at least), certain types of users have downgraded so they can crash remote users without crashing themselves. They have a new beta released March 01 (3.5.1856) but all they mention are new features, not bug fixes. I have not had the opportunity to test the newer version at this time "ryan dale" <daleat_private>: There is already an unofficial fix available, which can be downloaded at my hompage: http://laugh.at/cruz The fix is an edited ate32.dll, which should be copied to the aim directory. With it, aim doesnt try to convert "&#XXX;"-type of strings anymore, a minimum drawback (note: with that fix, the attacker can use this exploit to crash other unfixed AIMs, but wont crash his/her own AIM). Affected versions: I tested this only on 3.5+ versions of AIM, but all other versions are most likely affected too. I believe on 3/1/00 AIM ver 3.5.1856 was released. This bug does not appear in this version. "Justin Lintz" <jlintzat_private>: I tested this under windows2000 and nothing happened, maybe because I have the latest aim beta. Anyone else get it to work under windows 2000? -- Elias Levy SecurityFocus.com http://www.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:53 PDT