How much work have you done making sure it's not possible to execute arbitrary code? There are quite a few weird conditions that can cause different exceptions and AIM crazyness...for example, play with these 3 variables for a while while using OllyDbg on the AIM process. 1. The number of <!-- 's 2. The length of a string after each <!-- 3. The length of a string after the entire set of <!--'s. At a certain boundry conditions you'll notice int3's getting called from ntdll, at another, you'll notice the "Out of Memory" box pop up, at another you'll notice 0x04040404 taking EIP, at another you'll notice all sorts of other fun stuff. -dave Matthew Sachs wrote: > (Note: I wasn't going to release this until the 8th in order to give > AOL some time to release a fix/workaround, but since exploit scripts > have already been posted to bugtraq...) > > Scope: > Anyone who can send instant messages to a user signed on to > the AOL Instant Messenger service can crash that user's AOL > Instant Messenger. The default settings allow everyone to > send the user messages. This bug does not appear to be > exploitable for running arbitrary code. > Confirmed Vulnerable: > AOL Instant Messenger/Win32 4.7.2480 > AOL Instant Messenger/Win32 4.3.2229 > Confirmed Not Vulnerable: > aimirc (all versions) > AIM Express > QuickBuddy > AOL Instant Messenger/Linux 1.5.234 > Unknown: > All other AOL Instant Messenger clients > > Reported to AOL on October 1st, 2001. No reply received. > > It is possible for any remote user to crash the AOL Instant Messenger for > Windows, at least version 4.7.2480. The target user's visibility > settings must allow the exploiter to send him or her IMs. When a > message with the text "<!-- " (without the quotes) is repeated > approximately 640 or more times, AIM crashes with the following > error. > AIM caused in invalid page fault in module ATK32.DLL at > 015f:12023f63. > Registers: > EAX=00000000 CS=015f EIP=12023f63 EFLGS=00010246 > EBX=0063ea94 SS=0167 ESP=0063e9dc EBP=0063ea24 > ECX=0043dab0 DS=0167 ESI=0043051c FS=0e87 > EDX=00000000 KS=0167 KDI=0063ea8c GS=0000 > Bytes at CS:EIP: > 83 78 28 00 74 08 c7 07 ff 7f 00 00 eb 06 8b 40 > Stack dump: > 00000000 0043051c 00000409 218f0004 8a120000 > 17df0b04 00010000 00000000 00000000 00000002 > 00000000 00000302 0000000c 00000001 0000000c > 00000000 > > Note that it does not appear to be possible to send this message from > AOL's Windows AOL Instant Messenger client, both because it imposes > tighter length restrictions than the OSCAR protocol mandates and > because it will translate < into < > > If the "Show 'Accept Message' dialog for messages from users not in Buddy > List" preference is turned on and the exploiter is not in the target's > buddylist, that dialog will appear and then AIM will immediately crash. If > that preference is not turned on or if the exploiter is in the target's > buddylist, an IM dialog will be created (if one does not already exist), > and then AIM will immediately crash. > > This bug is already being exploited in the wild. It initially came to my > attention through a post to the vuln-devat_private mailing list as > well as, simultaneously, in traffic observed in the AIM sessions of users > of my network. > > Suggested workaround: > If possible, modify your privacy settings so that only users > on your buddylist can contact you. However, this still makes > it possible for people on your buddylist to use this > bug against you. Until AOL releases a fix, the only other > option is to switch to a non-vulnerable client. > Alternatively, one can simply live with the occasional crash > and simply restart AOL Instant Messenger. Of course, > malicious persons could set up scripts to automatically send > a crash-inducing message to the user as soon as he or she > signed on to the AOL Instant Messenger service. > > -- > Matthew Sachs, the original nonstandard deviant > matthewgat_private http://www.zevils.com/ > GPG key: 0x600A0342 PGP key: 0x93EA1151 > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature
This archive was generated by hypermail 2b30 : Wed Oct 03 2001 - 12:11:54 PDT