AIM Remote File Transfer/Direct Connection Vulnerability

From: Sil (silat_private)
Date: Sat Apr 20 2002 - 17:18:57 PDT

Next message: Markus Arndt: "Philip Chinery's Guestbook 1.1 fails to filter out js/html"

Previous message: bert hubert: "Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) AIM Remote File Transfer/Direct Connection Vulnerability I Discovered this vulnerability while I was port scanning my brother(April 15th, 2002), he just happened to send me a file and the port scan connected and received the file instead of me... The next day(April 16th, 2002) I made a program to exploit the vulnerability. This is how the vulnerability works.... When AIM gets a connection request or tries to connect to someone else it acts as a server, the program I made rapidly tries to connect to the target IP(every 450 milliseconds) on port 4443(Direct Connection) and 5190(File Transfer) it then intercepts the connection and steals whatever data the target sends, they can receive text from their "friends" but they cannot send it because all data they send gets sent to you, I don't know the Oscar protocol, but I'm sure that if you where to use it, you could send text back to the IM as the "friend" or maybe as a fake screen name, this could be used to trick the person into giving you passwords or personal information, even if the person just happened to send something like "passwords.txt" to their "friend", you now have those passwords. The fix: I think a fix would be simple, have AIM only connect to the IP of the person they are trying to connect to which would be retrieved by the AIM server(s), I wouldn't doubt there being ways to exploit this also..but it's a start. A temporary way to protect from the file transfer spy would be to change the port in the AIM preferences dialog for file transfer to something other than 5190, it would be pretty hard for someone to guess what port you changed it to. Data you could potentially "steal": pictures, files, text, passwords, movies, personal information, etc... Well that concludes this article..., if you have any questions or comments please feel free to contact me. (One last note: I am still fixing bugs and trying different things with the program, but when I am happy with it, I will post it on my site, it is called RAFTS which stands for Remote AIM File Transfer Spy) -Joseph Musso a.k.a. Sil www.silenttech.com aim screen name: xlsillx email: silat_private

Next message: Markus Arndt: "Philip Chinery's Guestbook 1.1 fails to filter out js/html"
Previous message: bert hubert: "Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 22 2002 - 20:38:09 PDT