AIM for the Macintosh is not vulnerable as well. On 10.03.01, Matthew Sachs <matthewgat_private> wrote: > (Note: I wasn't going to release this until the 8th in order to give > AOL some time to release a fix/workaround, but since exploit scripts > have already been posted to bugtraq...) > > Scope: > Anyone who can send instant messages to a user signed on to > the AOL Instant Messenger service can crash that user's AOL > Instant Messenger. The default settings allow everyone to > send the user messages. This bug does not appear to be > exploitable for running arbitrary code. > Confirmed Vulnerable: > AOL Instant Messenger/Win32 4.7.2480 > AOL Instant Messenger/Win32 4.3.2229 > Confirmed Not Vulnerable: > aimirc (all versions) > AIM Express > QuickBuddy > AOL Instant Messenger/Linux 1.5.234 > Unknown: > All other AOL Instant Messenger clients > > Reported to AOL on October 1st, 2001. No reply received. > > It is possible for any remote user to crash the AOL Instant Messenger for > Windows, at least version 4.7.2480. The target user's visibility > settings must allow the exploiter to send him or her IMs. When a > message with the text "<!-- " (without the quotes) is repeated > approximately 640 or more times, AIM crashes with the following > error. > AIM caused in invalid page fault in module ATK32.DLL at > 015f:12023f63. > Registers: > EAX=00000000 CS=015f EIP=12023f63 EFLGS=00010246 > EBX=0063ea94 SS=0167 ESP=0063e9dc EBP=0063ea24 > ECX=0043dab0 DS=0167 ESI=0043051c FS=0e87 > EDX=00000000 KS=0167 KDI=0063ea8c GS=0000 > Bytes at CS:EIP: > 83 78 28 00 74 08 c7 07 ff 7f 00 00 eb 06 8b 40 > Stack dump: > 00000000 0043051c 00000409 218f0004 8a120000 > 17df0b04 00010000 00000000 00000000 00000002 > 00000000 00000302 0000000c 00000001 0000000c > 00000000 > > Note that it does not appear to be possible to send this message from > AOL's Windows AOL Instant Messenger client, both because it imposes > tighter length restrictions than the OSCAR protocol mandates and > because it will translate < into < > > If the "Show 'Accept Message' dialog for messages from users not in Buddy > List" preference is turned on and the exploiter is not in the target's > buddylist, that dialog will appear and then AIM will immediately crash. If > that preference is not turned on or if the exploiter is in the target's > buddylist, an IM dialog will be created (if one does not already exist), > and then AIM will immediately crash. > > This bug is already being exploited in the wild. It initially came to my > attention through a post to the vuln-devat_private mailing list as > well as, simultaneously, in traffic observed in the AIM sessions of users > of my network. > > Suggested workaround: > If possible, modify your privacy settings so that only users > on your buddylist can contact you. However, this still makes > it possible for people on your buddylist to use this > bug against you. Until AOL releases a fix, the only other > option is to switch to a non-vulnerable client. > Alternatively, one can simply live with the occasional crash > and simply restart AOL Instant Messenger. Of course, > malicious persons could set up scripts to automatically send > a crash-inducing message to the user as soon as he or she > signed on to the AOL Instant Messenger service. > > -- > Matthew Sachs, the original nonstandard deviant > matthewgat_private http://www.zevils.com/ > GPG key: 0x600A0342 PGP key: 0x93EA1151 -- Tony Lambiris [methodicat_private] http://www.openbsd.org && http://www.openssh.com "Anyone who truly understands the power of UNIX wouldn't use anything else."
This archive was generated by hypermail 2b30 : Wed Oct 03 2001 - 11:35:20 PDT